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Abstract 

"God does not play dice. He flips coins instead." And though for some reason He has denied 
us quantum bit commitment. And though for some reason he has even denied us strong coin 
flipping. He has, in His infinite mercy, granted us quantum weak coin flipping so that we too 
may flip coins. 

Instructions for the flipping of coins are contained herein. But be warned! Only those who 
have mastered Kitaev's formalism relating coin flipping and operator monotone functions may 
succeed. For those foolhardy enough to even try, a complete tutorial is included. 
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1 Introduction 



It is time again for a sacrifice to the gods. Alice and Bob are highly pious and would both like the 
honor of being the victim. Flipping a coin to choose among them allows the gods to pick the worthier 
candidate for this life changing experience. To keep the unworthy candidate from desecrating the 
winner, the coin flip must be carried out at a distance and in a manner that prevents cheating. 
Very roughly speaking, this is the problem known as coin flipping by telephone [ Blu81j . Quantum 
coin flipping is a variant of the problem where the participants are allowed to communicate using 
quantum information. 

Why is quantum coin flipping interesting/important/useful? First of all, it is conceivably pos- 
sible that someday somewhere someone will want to determine something by flipping a coin with 
a faraway partner, and that for some reason both will have access to quantum computers. The 
location of QIP 2050 could very well be determined in this fashion. 

Secondly, coin flipping belongs to a class of cryptographic protocols known as secure two-party 
computations. These arise naturally when two people wish to collaborate but don't completely 
trust one another. Sadly, the impossibility of quantum bit commitment |May96 , ILC98j shows that 
quantum information is incapable of solving many of the problems in this area. On the other 
hand, the possibility of quantum weak coin flipping shows that quantum information may yet 
have untapped potential. Among the most promising open areas is secure computation with cheat 
detection [ATSVYOOt IHK03j which may be better explored with the techniques in this paper. At 
a minimum, the standard implementation of bit commitment with cheat detection uses quantum 
weak coin flipping as a subroutine, so improvements in the latter offer (modest) improvements in 
the former. 

Finally, coin flipping is interesting because it appears to be hard, at least relative to other 
cryptographic tasks such as key distribution |Wie831 IBB84j . Of course, it is not our intent to 
belittle the discovery of key distribution, whose authors had to invent many of the foundations 
of quantum information along the way. But a savvy student today, familiar with the field of 
quantum information, would likely have no trouble in constructing a key distribution protocol. 
Most reasonable protocols appear to work. Not so with coin flipping, where most obvious protocols 
appear to fail. 

A cynical reader may argue that hardness is relative and may simply be a consequence of 
having formulated the problem in the wrong language. But this is exactly our third point: that the 
difficulty of coin flipping is really an opportunity to develop a formalism in which such problems 
are (relatively) easily solvable. 

This new formalism, which is the cornerstone of the protocols in this paper, was developed 
by Kitaev |Kit04j and can be used to relate coin flipping (and many other quantum games) to 
the theory of convex cones and operator monotone functions. From this perspective, the value of 
the present coin flipping result is that it provides the first demonstration of the power of Kitaev's 
formalism. 

We note that the formalism relating coin-flipping and operator monotone functions is an exten- 
sion of Kitaev's original formalism which was used in proving a lower bound on strong coin flipping 
|Kit03j . When we need to distinguish them, we shall refer to them respectively as Kitaev's second 
and first coin flipping formalisms. 

We will delay the formal definition of coin flipping to Section 11.11 and the history and prior 
work on the problem to Section 11.21 Instead, we shall give below an informal description of the 
new formalism. We shall focus more on what the finished formalism looks like rather than on how 
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Figure 1: A point game sequence with three configurations. Numbers outside the axes label location 
and numbers inside the axes label probability. The sequence corresponds to a protocol with = 1 
and = 1/2, that is, a protocol where Alice flips a coin and announces the outcome. 



to relate it to the more traditional notions of quantum states and unitaries (a topic which will be 
covered at length later in the paper). 

In its simplest form Kitaev's formalism can be described as a sequence of configurations, each 
of which consists of a few marked points on the plane. The points are restricted to the closure of 
the first quadrant (i.e., have non-negative coordinates) and each point carries a positive weight, 
which we call a probability. 

Two successive configurations can only differ by points on a single vertical or horizontal line. 
The rule is that the total probability on the line must be conserved (though the total number of 
points can change) and that for every A S (0, oo) we must satisfy 



where the left hand side is a sum over points before the transition and the right hand side is a 
sum over points after the transition. The variable z is respectively the x coordinate for transitions 
occurring on a horizontal line or the y coordinate for transitions occurring on a vertical line. The 
numbers Pz are just the probabilities associated to each point. An example of such a sequence is 
given in Fig. [TJ 

The boundary conditions of the sequence are as follows: The stating configuration always 
contains two points, each carrying probability one half, with one point located at x = 1 and y = 
and the other point at x = and y = 1. The final configuration must contain a single point, which 
carries unit probability (as required by conservation of probability). 

Each of these sequences can be translated into coin-flipping protocols such that the amount of 
cheating allowed is bounded by the location of the final point. In particular, if the final point is 
located at {x,y) then the resulting protocol will satisfy < y and < x, and hence the bias is 
bounded by max(x,y) — 1/2. 

We call these sequences "point games" and they are completely equivalent to standard protocols 
described by unitaries. There exists constructive mappings from point games to standard protocols 
and vice versa. The optimal coin-fiipping protocol can be constructed and tightly bounded by a 
point game. Hence, rather than searching for optimal protocols, one can equivalently search for 
optimal point games. These point games are formalized in Section [2] and examples are given in 
Section [3l 




(1) 



The configurations above are roughly related to standard semidefinite programing objects as 
follows: The x coordinates are the eigenvalues of the dual SDP operators on Alice's Hilbert space, 
the y coordinates are eigenvalues of the dual SDP operators on Bob's Hilbert space, and the weights 
are the probabilities assigned by the honest state to each of these eigenspaces. 

The obscure condition of Eq. ([1]) can best be understood if we describe the points on the line 
before and after the transition by functions p{z),p'{z) : [0, oo) [0, oo) with finite support. We 
then are essentially requiring that p'{z) — p{z) belong to the cone dual to the set of operator 
monotone functions with domain [0, oo). For those unfamiliar with operator monotone functions, 
their definition and a few properties are discussed later in the paper. 

We note an unusual convention that was used above and throughout most of the paper: the 
description of point games follows a reverse time convention where the final measurement occurs 
at t = and the initial state preparation occurs at t = n > 0. The motivation for this will become 
clear as the formalism is developed. 

Kitaev further simplified his formalism so that an entire point game can be described by a 
single pair of functions h{x,y) and v{x,y) that take real values and have finite support. The main 
constraint is that on every horizontal line of /i(x, y) and every vertical line of v{x,y), the sum of the 
weights must be zero, and the weighted average of must be non-negative for every A G (0, oo). 
Furthermore, h{x,y) + v{x,y) must be zero everywhere except at three points: (1,0) and (0,1) 
where it has value —1/2, and a third point (x, y), where it has value 1, and which is the equivalent 
of the final point of the original point games. This variant of point games is described in Section [H 

A simple example can be constructed using Fig. [2j The labeled points with outgoing horizontal 
arrows appear in h{x, y) with negative sign, whereas those with incoming horizontal arrows appear 
in h{x,y) with positive sign. Similarly for v{x,y) and the vertical arrows. The final point at (|, |) 
appears in both functions with positive coefficient and magnitude 1/2. That means that the point 
game corresponds to a protocol with i-*^ = = 2/3, or bias 1/6, and is a variant of the author's 
previous best protocol |Moc05] . 

The power of Kitaev's formalism is evident from the previous example as a complete protocol 
can be described by a single picture. Section [5] discusses in detail how to build and analyze such 
structures. Among the issues addressed are how to truncate the above infinite ladder so that 
the resulting figure has only a finite number of points as required by our description of Kitaev's 
formalism. 

To achieve zero bias in coin flipping, one can use similar constructions, but with more compli- 
cated ladders heading off to infinity. In particular, for every integer /c > we will build a protocol 
with 

P*=P*= — ^ (2) 
^ 2k + l ^ ' 

(technically, for each k we will have a family of protocols that will converge to the above values) . 
The case /c = allows both players to maximally cheat, the case A; = 1 is the author's bias 1/6 
protocol, and the limit k ^ oo achieves arbitrarily small bias. The details of this construction can 
also be found in Section [3 

All the new protocols are formulated in the language of Kitaev's formalism. Sadly, mechanically 
transforming these protocols back into the language of unitaries, while possible, does not lead to 
particularly simple or efficient protocols (i.e., in terms of laboratory resources). Finding easy to 
implement protocols with a small bias remains an interesting open problem. A number of other 
open problems can be found at the end of Section [6l 
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Figure 2: A coin-flipping protocol with bias 1/6. 



A first stab at finding good easy to implement protocols is given by Appendix El The section 
transforms the author's original bias 1/6 protocol (which uses a number of qubits linear in the 
number of messages) into a new form that uses constant space. In fact, the total space needed is 
one qutrit for each of Alice and Bob, and one qubit used to send messages. 

The key idea is to use early measurements to prune states that are known to be illegal. While 
in a theoretical sense measurements can always be delayed to the last step, their frequent use 
can provide practical simplifications (as is well know in key distribution). In fact, all the early 
measurements are of the flying qubit in the computational basis. 

The protocol in Appendix [A] is described in the standard language of unitaries, and an analysis 
is sketched using Kitaev's first formalism. As a bonus, the resulting protocol is related to the 
ancient and most holy game of Dip-Dip-Boom, also described therein. 

AppendixlBl proves strong duality for coin fiipping, which is an important lemma needed for both 
Kitaev's first and second formalisms. While strong duality does not hold in general semidefinite 
programs, it does in most, and there exists a number of lemmas that provide sufficient conditions. 
Unfortunately, some of the simplest lemmas do not directly apply to coin-fiipping. Instead, the 
appendix directly proves strong duality using simple arguments from Euclidean geometry. While 
all the ideas in this section are taken from standard textbooks, the presentation is still somewhat 
clever and novel. 

Finally, Appendix [Cl proves another mathematical lemma needed for Kitaev's second formalism. 
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It is the key step needed to turn the functions that underhe the point games back into matrices out 
of which states and unitaries can be constructed. Though some of the ideas are potentially novel, 
mostly it deals with standard technical issues from the theory of matrices. 

As a final goody, Section 13.2.31 includes a brief discussion and example of how to extend the 
formalism to include cheat detection. Of course, because weak coin-flipping can be achieved with 
arbitrarily small bias, adding in cheat detection isn't particularly useful. However, similar tech- 
niques may prove helpful in studying cheat detection for strong coin flipping and other secure 
computation problems. 

Author's note: Sections [2] and H] are based on my recollection of a couple of discussions with 
Kitaev and a subsequent group meeting he gave (of which I sadly kept no written record). As I 
have had to reconstruct some of the details, and as I have strived to move the discussion to finite 
dimensional spaces, some of Kitaev's original elegance has been replaced by a more pedantically 
constructive (and hopefully pedagogical) approach. I claim no ownership of the main ideas in these 
sections, though am happy to accept the blame for any errors in my write up. You should also know 
that all the terms such as UBP, "point game," and "valid transitions" are my own crazy invention, 
and are unlikely to be familiar to those who have leaned Kitaev's formalism from other sources. 

At this point, those familiar with the definition and history of coin flipping may wish to skip 
ahead to Section [2j Good luck! 

1.1 Coin flipping deflned 

Coin flipping is a formalization of the notion of flipping or tossing a coin under the constraints that 
the participants are mutually distrustful and far apart. 

The two players involved in coin flipping, traditionally called Alice and Bob, must agree on a 
single random bit which represents the outcome of the coin flip. As Alice and Bob do not trust 
each other, nor anyone else, they each want a protocol that prevents the other player from cheating. 
Furthermore, because they are far apart, the protocol must be implementable using only interaction 
over a communication device such as a telephone. The problem is known in the classical literature 
as "coin flipping by telephone" and was first posed by Manuel Blum in 1981 jBluSlj . 

There are two variants of coin flipping. In the first variant, called weak coin flipping, Alice 
and Bob each have a priori a desired coin outcome. The outcomes can be labeled as "Alice wins" 
and "Bob wins," and we do not care if the players cheat in order to increase their own probability 
of losing. In the second variant of coin flipping, called strong coin flipping, there are no a priori 
desired outcomes and we wish to prevent either player from biasing the coin in either direction. 

Obviously, strong coin flipping is at least as hard as weak coin flipping and in general it is 
harder. However, this paper is mainly concerned with weak coin flipping which we often simply 
refer to as "coin flipping". 

To be more precise in our definition, weak coin flipping is a two-party communication protocol 
that begins with a completely uncorrelated state and ends with each of the participants outputting 
a single bit. We say that Alice wins on outcome and Bob wins on outcome 1. The requirements 
are: 

1. When both players are honest, Alice's output is uniformly random and equal to Bob's output. 

2. If Alice is honest but Bob deviates from the protocol, then no matter what Bob does, the 
probability that Alice outputs one (i.e.. Bob wins) is no greater than P^. 
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3. Similarly, if Bob is honest but Alice deviates from the protocol, then the maximum probability 
for Bob to declare Alice the winner is P^. 

The parameters and define the protocol. Ideally we want = P^ = 1/2. Unfortunately, 
this is not always possible. We therefore introduce the bias max(P^, P^) — 1/2 as a measure of the 
security of the protocol. Our goal is to find a protocol with the smallest bias possible. 

Note that the protocol places no restrictions on the output of a cheating player, as these are 
impossible to enforce. In particular, when one player is cheating the outputs do not have to agree, 
and when both players are cheating the protocol is not required to satisfy any properties. This also 
means that if an honest player ever detects that their opponent has deviated from the protocol (i.e., 
the other player stops sending messages or sends messages of the wrong format) then the honest 
player can simply declare victory rather than aborting. This will be an implicit rule in all our weak 
coin-flipping protocols. 

Occasionally, it is worth extending the definition of coin flipping to case where the output is not 
uniformly random even when both players are honest. In such a case we denote by Pa the honest 
probability for Alice to win and by Pb = 1 — Pa the honest probability for Bob to win. 

1.1.1 Communication model 

It is not hard to see, that in a classical world, and without any further assumptions, at least one 
player can guarantee victory. For instance, if one of the players were in charge of flipping the coin, 
the other player would have no way of verifying via a telephone that the outcome of the coin is the 
one reported by the first player. 

Coin flipping can be achieved in a classical setting by adding in certain computational assump- 
tions [BluSlj . However, some of these assumptions will no longer be true once quantum computers 
become available. Coin flipping can also be achieved in a relativistic setting |Ken99j if Alice and 
Bob's laboratories are assumed to satisfy certain spatial arrangements. However, these requirements 
may not be optimal for today's on-the-go coin flippers. 

In this paper we shall focus on the quantum setting, where Alice and Bob each have a quantum 
computer with as much memory as needed, and are connected by a noiseless quantum channel. 
They are each allowed to do anything allowed by the laws of quantum mechanics other than 
directly manipulate their opponents qubits. The resulting protocols will have information theoretic 
security. 

Although at the moment such a setting seems impractical, if ever quantum computers are built 
and are as widely available as classical computers are today, then quantum weak coin flipping may 
become viable. 

1.1.2 On the starting state 

The starting state of coin-flipping protocols is by definition completely uncorrelated, which means 
that Alice and Bob initially share neither classical randomness nor quantum entanglement (though 
they do share a common description of the protocol). 

There are two good reasons for this definition. First, it is easy to see that given a known 
maximally entangled pair of qubits, Alice and Bob could obtain a correlated bit without even using 
communication. But the same result can be obtained when starting with a uniformly distributed 
shared classical random bit. Such protocols are trivial, and certainly do not require the power of 
quantum mechanics. The purpose of coin flipping, though, is to create these correlations. 
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Still, at first glance it would appear that by starting with correlated states we can put the 
acquisition of randomness, or equivalently the interaction with a third party, in the distant past. 
In such a model Alice and Bob would buy a set of correlated bits from their supermarket and then 
used them when needed. The problem is that they can now figure out the outcomes of the coin 
flips before committing to them. It is not hard to imagine that a cheater would have the power 
to order the sequence of events that require a coin flip so that he wins on the important ones and 
loses the less important ones. We would now have to worry about protecting the ordering of events 
and that is a completely different problem. 

A good one-shot coin-flipping protocol should not allow the players to predict the outcome of 
the coin flip before the protocol has begun, and enforcing this is the second reason that we require 
an uncorrelated stating state. 

It might be interesting to explore what happens when the no-correlation requirement is weakened 
to a no-prior-knowledge-of-outcome requirement, but that is beyond the scope of this paper. 

1.1.3 On the security guarantees 

The security model of coin flipping divides the universe into three parts: Alice's laboratory, Bob's 
laboratory and the rest of the universe. We assume that Alice and Bob each have exclusive and 
complete control over their laboratories. Other than as a conduit for information between Alice and 
Bob, the rest of the universe will not be touched by honest players. However, a dishonest player 
may take control of anything outside their opponent's laboratory, including the communication 
channel. 

The security of the protocols therefore depends on the inability of a cheater to tamper with 
their opponent's laboratory. What does this mean? Abstractly, it can be defined as 

1. All quantum superoperators that a cheater can apply must act as the identity on the part 
of the Hilbert space that is located inside the laboratory (including the message space when 
appropriate) . 

2. All operations of honest players are performed flawlessly and without interference by the 
cheater. 

3. An honest player can verify that an incoming message has the right dimension and can abort 
otherwise. 

In practice, however, this translates into requirements such as 

1. The magnetic shielding on the laboratory is good enough to prevent your opponent from 
affecting your qubits. 

2. The grad student operating your machinery cannot be bribed to apply the wrong operations. 

3. A nanobot cannot enter your laboratory though the communication channel. 

As usual, the fact that a protocol is secure does not mean that it will protect against the preceding 
attacks. The purpose of the security analysis is to prove that the only way to cheat is to attack an 
opponents laboratory, thereby guaranteeing that one's security is as good as the security of one's 
laboratory. 
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1.1.4 On the restriction to unitary operations 

It is customary when studying coin flipping to consider only protocols that involve unitary opera- 
tions with a single measurement at the end. It is also customary to only consider cheating strategies 
that can be implemented using unitary operations. 

Nevertheless, any bounds that are derived under such conditions apply to the most general case 
which includes players that can use measurements, superoperators and classical randomness, and 
protocols that employ extra classical channels. 

The above follows from two separate lemmas, which roughly can be stated as: 

1. Given any protocol P in the most general setting (including measurements, classical chan- 
nels, etc.) that has a maximum bias e under the most general cheating strategy (including, 
measurements, superoperators, etc.) then there exists a second protocol P' that is specified 
using only unitary operations with a single pair of measurements at the end and that also 
has a maximum bias e under the most general cheating strategy (including, measurements, 
superoperators, etc.). 

2. Given any protocol P specified using only unitary operations with a single pair of measure- 
ments at the end, and given any cheating strategy for P (which may include measurements, 
superoperators, etc) that achieves a bias e, we can find a second cheating strategy for P that 
also achieves a bias e but can be implemented using only unitary operations. 

Unfortunately neither of the above statements will be proven here, and the proofs for the above 
statements are distributed among a number of published papers, but good stating points are [LC98] 
and |May96| . 

The first statement implies that we need only consider protocols where the honest actions can 
be described as a sequence of unitaries. The result is important for proofs of lower-bounds on the 
bias, but is not needed for the main result of this paper. 

The reduction of the first statement also applies to protocols that potentially have an infinite 
number of rounds, such as rock-paper-scissors, where measurements are carried out at intermediate 
steps to determine if a winner can be declared or if the protocol must go on. Such protocols are 
dealt with by proving that there exist truncations that approximate the original protocol arbitrarily 
well. In such a case, though, the resulting bias will only come arbitrarily close to the original bias. 

The second statement implies that in our search for the optimal cheating strategy (or equiv- 
alently, in our attempts to upper bound the bias) we need only consider unitary cheaters. Note 
that measurements are not even needed in the final stage as we do not care about the output of 
dishonest players. 

The basic idea of the proof of the second statement is that any allowed quantum mechanical 
operation can be expressed as a unitary followed by the discarding of some Hilbert subspace. If 
the cheater carries out his strategy without ever discarding any such subspaces he will not reduce 
his probability of victory and will only need to use unitary operations. 

The second statement also holds when the honest protocol includes certain projective measure- 
ments such as those used in this paper. In fact, we will sketch a proof for this second statement in 
Section 12.1.11 as we translate coin flipping into the language of semidefinite programing. 
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1.2 A brief history muddled by hindsight 



Roughly speaking, cryptography is composed of two fundamental problems: two honest players try 
to complete a task without being disrupted by a third malicious party (i.e., encrypted communi- 
cation), and two mutually distrustful players try to cooperate in a way that prevents the opposing 
player from cheating, effectively simulating a trusted third party (i.e., choosing a common meeting 
time while keeping their schedules private). The second case is commonly known as two-party 
secure computation. 

In the mid 1980s, quantum information had a resounding success in the first category by enabling 
key distribution with information theoretic security [Wie83l IBB84j . Optimism was high, and it 
seemed like quantum information would be able to solve all problems in the second category as 
well. But after many failed attempts at producing protocols for a task known as bit commitment, 
it was finally proven by Mayers, Lo and Chau |May96 , ILC98j that secure quantum bit commitment 
was impossible. 

One of the reasons people had focused on bit commitment is that it is a powerful primitive 
from which all other two-party secure computation protocols can be constructed |Yao95| . Its 
impossibility means that all other universal primitives for two-party secure computation must also 
be unrealizable using quantum information |Lo97j. 

We note that when we speak of possible and impossible with regards to quantum information we 
always mean with information theoretic security (i.e., without placing bounds on the computational 
capacity of the adversary). Classically all two-party secure-computation tasks can be realized under 
certain complexity assumptions jYao82j but become impossible if we demand information theoretic 
security. Surprisingly, most multiparty secure-computations tasks can be done classically with 
information theoretic security so long as all parties share private pairwise communication channels 
and the number of cheating players is bounded by some constant fraction (dependent on the exact 
model) of the total number of players |(X]D881 IB()(;W881 [RB089]. Similar results hold in the 
multiparty quantum case |CGS02| . 

Given the impossibility of quantum bit commitment, and the fact that most multiparty problems 
can already be solved with classical information, the new goal in the late 1990s became to find any 
two-party task that is modestly interesting and can be realized with information theoretic security 
using quantum information. 

One of the problems that the literature converged on |GVW99] was a quantum version of the 
problem of flipping a coin over the telephone |Blu81] . Initially the focus was on strong coin flipping 
and Ambainis [AmbOl] and Spekkens and Rudolph [SR02aj independently proposed protocols that 
achieve a bias of 1/4. Unfortunately, shortly thereafter Kitaev |Kit03j (see also |ABDR04] ) proved 
a lower bound of l/\/2 — 1/2 on the bias. 

Research continued on weak coin flipping |KN04[ ISR02bt IRS04j and the best known bias prior 
to the author's own work was 1/^/2 - 1/2 ~ 0.207 by Spekkens and Rudolph |SE,02bj . The best 
lower bound was proven by Ambainis [AmbOl] and states that the number of messages must grow 
at least as (log log ^). In particular, it implies that no protocol with a flxed number of messages 
can achieve an arbitrarily small bias. 

At this point most known protocols used at most a few rounds of communication. The first non- 
trivial many-round coin-flipping protocol was published in |Moc04aj by the author and achieved a 
bias of 0.192 in the limit of arbitrarily many messages. In subsequent work |Moc05j it was shown 
that this protocol (and many of the good protocols known at the time) were part of a large family 
of quantized classical public-coin protocols. Furthermore, an analytic expression was given for the 
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bias of each protocol in the family, and the optimal protocol for each number of messages was 
identified. Sadly, the best bias that can be achieved in this family is 1/6, and this only in the 
limit of arbitrarily many messages (a new formulation of this bias 1/6 protocol can be found in 
Appendix lAl wherein we use early measurements to reduce the space needed to run the protocol 
to a qutrit per player and a qubit for messages). 

Independently, Kitaev created a new formalism for studying two player adversarial games such 
as coin flipping [ Kit04] . which built on his earlier work [Kit03] . The formalism describes the set of 
possible protocols as the dual to the cone of two variables functions that are independently operator 
monotone in each variable. Though the result was never published, we include in Sections [2] and 
m a description of the formalism. This formalism, which we shall refer to as Kitaev's second coin- 
flipping formalism, is the crucial idea behind the results in the present paper. A different extension 
of Kitaev's original formalism was also proposed by Gutoski and Watrous |GW07 ] . 

Looking beyond coin flipping, there is the intriguing possibility that we can still achieve most 
of protocols of two-party secure computation if we are willing to loosen our requirements: instead 
of requiring that cheating be impossible, we require that a cheater be caught with some non-zero 
probability. Quantum protocols that satisfy such requirements for bit commitment have already 
been constructed [ATSVYOOl IHK03j though the amount of potential cheat detection is known to 
be bounded |Moc04bj . 

The possibility of some interesting quantum two-party protocols with information theoretic 
security, plus many more protocols built using cheat detection, may mean that ultimately quantum 
information will fulfill its potential in the area of secure computation. But more work needs to be 
done in this direction, and we hope that the results and techniques of the present paper will be 
helpful. 

2 Kitaev's second coin-flipping formalism 

The goal of this section is to describe Kitaev's formalism which relates coin flipping to the dual 
cone of a certain set of operator monotone functions |Kit04| . 

The first step in the construction involves formalizing the problem of coin flipping and proving 
the existence of certain upper bound certificates for and P^. This is done in Section [2.11 and 
we refer to the result as Kitaev's first coin-flipping formalism as most of the material was used in 
the construction of the lower bounds on strong coin flipping [Kit03| . 

The next step, carried out in Section [2.21 involves using these certificates to change the maxi- 
mization over cheating strategies to a minimization over certificates, and overall to transform the 
problem of finding the best coin-flipping protocol into a minimization over objects we call upper- 
bounded protocols (UBPs). 

The third step involves stripping away most of the irrelevant information of the UBPs to end 
up with a sequence of points moving around in the plane. These "point games" are the main object 
of study of Kitaev's second formalism. They come in two varieties: time dependent (which are 
studied in Section 12. Sp and time independent (whose description is delayed to Section 14. ip . 

2.1 Kitaev's first coin-flipping formalism 

The first goal is to formalize coin-fiipping protocols using the standard quantum communication 
model of a sequence of unitaries with measurements delayed to the end. 
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Definition 1. A coin- flipping protocol consists of the following data 

• A, Ai and B, three finite- dimensional Hilbert spaces corresponding to Alice's qubits, the mes- 
sage channel and Bob's qubits respectively. We assume that each Hilbert space is equipped 
with a orthonormal basis of the form |0), |1), |2), . . . called the computational basis. 

• n, a positive integer describing the number of messages. 
For simplicity we shall assume n is even. 

• A tensor product initial state: |V'o) = li^Afi) ® |V'Af,o) ® iV'B.o) G -4 (X" 5. 

• A set of unitaries Ui, . . . ,Un on ^ (8) (X" ;S of the form 

jj _ I UA,i Ib for i odd, 
1 /_4 (gi UB,i for i even, 

where UA,i acts on ^ ® and UB,i acts on M. ®B. 

• {nA,o,nA,i}, a POVM on A. 

• {nij,o,nB,i}, a POVM on B. 
Furthermore, the above data must satisfy 

Ha,! ®Im® ns^olV'n) = n^.O ®Im® ^B,Mn) = 0, (4) 

where \tpn) = Un--- Ui\ipo). 

Given the above data, the protocol is run as follows: 

1. Alice starts with A and Bob starts with M <Si B. They initialize their state to |V'o)- 

2. For i = 1 to n: 

If i is odd Alice takes Ai and applies UA,i- 
If i is even Bob takes M. and applies C/^.i- 

3. Alice measures A with {11^,0, n^i^i} and Bob measures B with {IlBfi,IlB,i}- They each output 
zero or one based on the outcome of the measurement. 

When both Alice and Bob are honest, the above protocol starts off with the state IV'o) 8>.nd proceeds 
through the states 

\i;i) = Ui---Ui\i>o)- (5) 
The final probabilities of winning are given by 

Pa = |nA,o «>^>! 'XnB,o|V'n)P = TrpB^oTr^cg)^! |V'n)(V'n|] , 

Pb = \UA,10lM^'nB,l\i^n)\^ =TT[UA,lTTM^B\4'n)M, (6) 

where Eq. guarantees the second equalities above and the condition Pa + Pb = 1. In general, 
we will also want to impose Pa = Pb = 1/2 to obtain a standard coin flip. 



12 



How many messages does the above protocol require? Traditionally, we have one message after 
each unitary. We also need an initial message before the first unitary so that Alice can get Ai. We 
will think of this as the zeroth message. In total, we have n + 1 messages. However, the first and 
last message are somewhat odd: Alice never looks at the last message, so we could have never sent 
it. Also, in principle, Alice could have started with Ai and initialized it herself, which would at 
most reduce Bob's cheating power. So the whole protocol could be run with only n — 1 messages. 

However, the moments in time when the message qubits are flying between Alice and Bob (all 
n + 1 of them), mark particularly good times to examine the state of our system. In particular, we 
are interest in the state of A and B at these times which, when both players are honest, will be 

(^A,i = T^M(S>B\^i){^i\, o-B,i = Tr^®>l (7) 

for i = 0, . . . , n. 



2.1.1 Primal SDP 

Now that we have formalized the protocol, we proceed with the formalization of the optimization 
problem needed to find the maximum probabilities with which the players can win by cheating. 
The resulting problems will be semidefinite programs (SDPs). 

We will study the case of Alice honest and Bob cheating (the other case being nearly identical). 
As usual, we do not want to make any assumptions about the operations that Bob does, or even 
the number of qubits that he may be using, therefore we must focus entirely on the state of Alice's 
qubits. 

As Alice initializes her qubits independently from Bob, we know what their state must be during 
the zeroth message: 

PA,o = \tpA,o){i^A,o\- (8) 

Subsequently we shall lose track of their exact state, but we know by the laws of quantum mechanics 

that they must satisfy certain requirements. The simplest is that, since Bob cannot affect Alice's 
qubits, then during the steps when Alice does nothing the state of the qubits cannot change: 

PA,i = PA,i-i for i even. (9) 

Note that this is true even if Bob performs a measurement as Alice will not know the outcome, and 
therefore her mixed state description will still be correct. 

The more complicated case is the steps when Alice performs a unitary. Let /jaa be the state 
oi M. immediately after Alice receives the ith message (for i even, of course) . The laws of 
quantum mechanics again require the consistency condition 

T^M PA,i = PA,i for i even, (10) 

where pA,i is only restricted by the fact that Bob cannot affect the state of A. Note also that the 
above equation holds valid even if Bob uses his message to tell Alice the outcome of a previous 
measurement. 

Now when Alice applies her unitary and sends off M she will be left with the state 

PA,i = Ttm UA,iPA,i-iU\^ for i odd. (11) 
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Finally, Alice's output is determined entirely by the measurement of pA,n- In particular, Bob 
wins with probability 

Pwin = Tr \YlA,lPA,n] ■ (12) 

Now consider the maximization of the above quantity over density operators pAfi-, ■ ■ ■ , PA,n and 
PA,Oi ■ ■ ■ , PA,n-2 subject to Eqs. (|8|9|10|lip . Because the optimal cheating strategy must satisfy the 
above conditions we have 

< maxTr [UA,iPA,n] , (13) 

where the maximum is taken subject to the above constraints. 

The bound is also tight because any sequence of states consistent with the above constraints 
can be achieved by Bob simply by maintaining the purification of Alice's state. We sketch the 
proof: we inductively construct a strategy for Bob that only uses unitaries so that the total state 
will always be pure. Assume that Alice has PA,i-i (and the total state is |(/)j_i)) and Bob wants 
to make her transition to a given pA,i consistent with the above constraints. If i is even this is 
trivial. If i is odd, he must make sure to send the right message so that Alice ends up with the 
appropriate pA,i-i- But let \4>i-i) be any purification of PA,i-i into B. Because the reduced density 
operators on A of both and are the same, they are related by a unitary on and 

by applying this unitary Bob will succeed in this step. By induction he also succeeds in obtaining 
the entire sequence, as the base case for z = is trivial. We therefore have 

P*B = maxTi[UA,iPA,n]. (14) 

2.1.2 Dual SDP 

In the last section we found a mathematical description for the problem of computing P^. Unfor- 
tunately, it is formulated as a maximization problem whose solution is often difficult to find. It 
would be sufficient for our purposes, though, to find an upper bound on P^. Such upper bounds 
can be constructed from the dual SDP. 

In particular, in this section we will describe a set of simple-to-verify certificates that prove 
upper bounds on P^j. These certificates are known as dual feasible points. 

The certificates will be a set of n + 1 positive semidefinite operators Zaa, ■ ■ ■ , ZA,n on A whose 
main property is 

Tr[ZA,i~iPA,i^i] > TT[ZA,iPA,i] (15) 

for i = 1, . . . ,n and for all pA,o, ■ ■ ■ , PA,n consistent with the constraints of Eqs. (j8|9|10|lip . Addi- 
tionally, we require 

ZA,n = IlA,l. (16) 

Given a solution P*ao^ ■ ■ ■ ' P*An which attains the maximum in Eq. (jl4p . we can use the above 
properties to write 

ii^AfllZAfilipAfi) = Tr[ZA,oPA,o] > Tr[ZA,„/3A,n] = Pb: (17) 
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obtaining an upper bound on P^. The crucial trick is that while we do not know the complete 
optimal solution, we do know that p^^ = \'4'Afi){i^Afl\-, which gives us a way of computing the 
upper bound. 

How do we enforce Eq. (|15p ? We do it independently for each transition: For i odd, Eqs. (jlO|lip 
give us pA,i-i = Tr;n PA,i~i and pA,i = TiM[UA,iPA,i~iU\^^\. We are therefore trying to impose 

Tr [(ZA,i-i /a^) /5A,i-i] > Tr {Z A,i ® I m) U A,iP A,i-iU\^i . (18) 
A sufficient condition (which is also necessary if pA,i-i is arbitrary) is given by 

ZA,i-i (E)Im> U\^i iZA,i ® Im) UA,i for i odd. (19) 

In general, even when Bob is cheating, not all possible density operators PA,i-i are attainable 
(otherwise he would have complete control over Alice's qubits). Therefore, the above constraint 
could in principle be overly stringent. However, we shall prove in the next section that arbitrarily 
good certificates can be found even when when using the above constraint. 

Using a similar logic, when i is even we have the relation pA,i = PA,i~i and so a sufficient 
condition on the dual variables is Z^^i-i > Za^i- However, from Alice's perspective these are 
just dummy transitions. We introduced extra variables to mark the passage of time during Bob's 
actions, but really we want to keep Alice's system unchanged during these time steps. Therefore, 
we impose the more stringent requirement on the dual variables 

ZA,i-i = ZA,i for i even. (20) 

We can summarize the above as follows: 

Definition 2. Fix a coin-flipping protocol P. A set of positive semidefinite operators Za,o, ■ ■ ■ , ZA,n 
satisfying Eqs. U0il9^2O\) is known as a dual feasible point (for the problem of cheating Bob given 
a protocol P). 

Our arguments above prove: 

Lemma 3. A dual feasible point Za.o, ■ ■ ■ , Za^u for a coin-flipping protocol P constitutes a proof 
of the upper bound (tpAfilZAfili^Afi) ^ Pb- 

The importance of the above upper bounds is that the infimum over dual feasible points actually 
equals P^. In other words, there exist arbitrarily good upper bound certificates. This result is 
known as strong duality and is proven in Appendix [Bl 



2.2 Upper-Bounded Protocols 

Thus far we have studied Kitaev's first coin-flipping formalism. Given a protocol it helps us 
find the optimal cheating strategies for Alice and Bob by formulating these problems as convex 
optimizations. In general, however, we do not have a fixed protocol that we want to study. Rather, 
we want to identify the optimal protocol from the space of all possible protocols. Kitaev's second 
coin-flipping formalism will help us formulate this bigger problem as a convex optimization. 

The goal is to compute the minimum (over all coin-flipping protocols) of the maximum (over all 
cheating strategies for the given protocol) of the bias. Alternating minimizations and maximizations 
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are often tricky, but we can get rid of this problem by dualizing the inner maximization, that is, by 
replacing the maximum over cheating strategies with a minimum over the upper-bound certificates 
discussed in the last section. The goal becomes to compute the minimum (over all coin-flipping 
protocols) of the minimum (over all upper-bound certificates for the given protocol) of the bias. 

But we can go a step further and pair up the protocols and upper bounds to get a single math- 
ematical object which we call an upper-bounded protocol. The space of upper-bounded protocols 
includes bad protocols with tight upper bounds, good protocols with loose upper bounds and even 
bad protocols with loose upper bounds. But somewhere in this space is the optimal protocol to- 
gether with its optimal upper bound and by minimizing the bias in this space we can find it (though, 
strictly speaking, we must carry out an infimum not a minimum and will only arrive arbitrarily 
close to optimality). 

Definition 4. An upper-bounded (coin- flipping) protocol, or UBP, consists of a coin-flipping 
protocol together with two numbers (3 and a, a set of positive semidefinite operators Za,o, • • • , Z^.n 
defined on A and a set of positive semidefinite operators ZBfi, ■ ■ ■ , ZB,n defined on B which satisfy 
the equations 



ZAfl\'4^Afl) = /3|V'A,o) 
ZA,i-l <^Im> {ZA,i <^ Im) UA,i 

ZA,i-l = ZA,i 

ZA,n = n^,i 



Zb,o\tPb,o) = a\il^B,o) 

ZB,i-i = ZB,i (i odd) 

Im ® ZB,i^i > U^B,i i^M ® ZB,i) UB,i (i even) 

ZB,n = ^B,0 (21) 



We shall refer to the pair (/3, a) as the upper bound of the UBP. 
Theorem 5. A UBP satisfies 

P*B <P, Pl< «, (22) 

where P^ and are the optimal cheating probabilities of the underlying protocol. 

Note the reverse order of /3 and a. That is because /3, which is the upper bound on Bob's 
cheating, must be computed from quantities that involve operations on Alice's qubits. We will 
normally list quantities defined or computed on A before those from B. 

The proof of the bound on P^ from Theorem [5] follows directly from Lemma [3l We shall not 
prove the equivalent bound on P^ tough it follows from nearly identical arguments. 

The main difference between the dual feasible points described in the previous section and the 
one used in the definition of UBPs is that the latter is more restrictive: rather than just setting 
P = {ipA,o\ZA,o\i^A,o) we additionally require that |V'A,o) be an eigenvector of Zaa- 

Clearly these more restricted dual feasible points still yield the desired upper bounds, proving the 
theorem. What we shall argue below, though, is that we have not sacrificed anything by imposing 
this additional constraint. Any upper bound that can be proven with the original certificates can 
be proven with these more restricted certificates as well. 

We use the fact that for every e > there exists a A > such that 

(^{lpA,o\ZA,o\lpAfl) + e^\lpA,o){lpAfl\ + - \TpA,o){lpA,o\^ > ^A,0- (23) 

The left hand side has \ipA,o) as an eigenvector as desired, and by transitivity of inequalities it can 
be used as the new Za,o- On Bob's side a similar construction can be used to replace both Zb^ 
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and Zb,i while maintaining their equaUty. By taking e arbitrarily small we can get arbitrarily close 
to the old dual feasible points, and so the infimum over both sets will be the same. 

In summary, we have defined our UBPs and argued that finding the infimum over this set is 
equivalent to seeking the optimal coin-flipping protocol. In particular, we have shown that: 

Theorem 6. Let f{P, a) :MxM. be a function such that f{a', /?') > f{a, 13) whenever a' > a 
and (3' > (3, then 

inf /(P^,P1)= inf /(/?,a), (24) 

proto UBP 

where the left optimization is carried out over all coin-flipping protocols and the right one is carried 
out over all upper-bounded protocols. In particular, the optimal bias /(/?, a) = max(/3, a) — 1/2 can 
be found by optimizing either side. 

2.2.1 Lower bounds and operator monotone functions 

We begin our study of upper-bounded protocols by showing how to place lower bounds on the set 
of UBPs. Though we will not prove any new lower bounds, the ideas presented in this section will 
motivate the constructions of the next sections. 

The main tool tool that we will be using is the following inequality 

{iJi-l\ZA,i-l O /a^ ZB,i-i\iJi-i) > {'lpi\ZA,i ^Im'^ ZB,i\-ipi) (25) 
which is the bipartite equivalent of Eq. (jlSp . The proof for i odd is that 

{llJi-l\Z A,i-1 (2) Im^ ZB,i~l\'4'i^l) > {lpi-i\{U\^- (g) lB)ZA,i ^ Im^ ZB,i{UA,i ® lB)\'^i-l) 

= {lpi\ZA,i (8) /a4 ® ZB,i\lpi) (26) 

and the proof for i even is nearly identical. 
Iterating we obtain the inequality 

Pa= {4^o\Za,0® Im® ZB,o\i^o) > {ll^n\ZA,n® Im® ZB,n\i^n) 

= (V'n|nA,l ®Im® nB,o|^n> = (27) 

or equivalently Pb^a — ^' which admittedly is rather disappointing. 

But there is hope. If we had been studying strong coin flipping and were interested in the case 
when both Alice and Bob want to obtain the outcome one, the above analysis would be correct 
given the minor change Zb^ti = n^^i. In such case the above inequality would read PbPa — ^/^ 
which is Kitaev's bound for strong coin flipping [Kit03j . 

For historical purposes we note that the results up to this point were already part of Kitaev's 
first formalism. Pedagogically, though, it makes more sense to call the optimizations given a fixed 
protocol the "first formalism" and the optimizations over all protocols the "second formalism." 

Returning to the case of weak coin flipping, we can obtain better bounds by inserting operator 
monotone functions into the above inequalities. An operator monotone function / : [0, oo) [0, oo) 
is a function that preserves the ordering of matrices. That is 

X>Y^ f{X) > f{Y) (28) 
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for all positive semidefinite operators X and Y . The simplest example of an operator monotone 
function is f{z) = z. Another example is /(z) = 1. Note that not all monotone functions are 
operator monotone. The classic example is /(z) = which is monotone on the domain [0,oo) but 
is not operator monotone. A few more facts about operator monotone functions are collected in 
the next section. 

How do we use the operator monotone functions? A moment ago we were studying the ex- 
pression (V'il-^A.i <^ ® ZB^ilipi)- But we could just as well study the expression (■(/'j|^A,i ® Im ® 
f{ZB^i)\tpi) for any operator monotone function /. We could then prove an inequality similar to 
Eq. ([25]) . and iterating we would end up with the condition /?/(a) > Pb/(0), where Pb is the 
honest probability of Bob wining. Choosing f{z) = 1 we can derive the bound > Pb, which at 
least has the potential of being saturated. 

The next obvious step is to put operator monotone functions on both sides and study expressions 
of the form {tpi\f{ZA,i) ®Im ® g{ZB,i)\'4'i) ■ But because at any time step only one of Za^i and ZB,i 
increases, we can do even better. 

Definition 7. A bi-operator monotone function is a function f{x, y) : [0, oo) x [0, oo) [0, oo) 

such that when one of the variables is fixed, it acts as an operator monotone function in the other 
variable. 

More specifically, given c G [0, oo) define f(c, z) : [0, cxd) [0, co) to be the function z f{c, z) 
(i.e., where the first argument has been fixed). Similarly, let f{z,c) : [0,cxd) [0,oo) be the function 
obtained by fixing the second argument. We say f{x, y) is bi-operator monotone if both f{c, z) and 
f{z,c) are operator monotone for every c E [0,oo). 

Furthermore, given f{x,y) : [0, oo) x [0, oo) [0,oo) we extend its definition to act on pairs of 
positive semidefinite operators as follows: let X = ^^Xi\xi){xi\ and Y = X]j then 

f{X,Y) = ^/(x„y,)ki)(x.| \y,){y,\. (29) 

id 

Bi-operator monotone functions satisfy a few simple properties: 

• IfY' >Y then f{X, Y') > f{X, Y). 

• If [/ is unitary then f{X, UYU^) = (/ U)f{X, Y) (l ® C/t) . 

• When acting on a tripartite system f{X, I ®Y) = f{X (8) /, Y). 

We are now ready to prove our most general inequality. Given a bi-operator monotone function 
/ then we can write 

{i;i^l\f{ZA,^-l,IM^ ZB,^-lM^l) > {iPi\f {ZA,^, Im ^ ZB,i)\iJi) , (30) 
whose proof is nearly identical to Eq. (j26p . Iterating, we obtain the lemma: 

Lemma 8. Given any bi-operator monotone function f , we obtain a bound on coin-flipping proto- 
cols given by 

f{P^,PX)> PBf (1,0) + PAf (OA). (31) 

Can we use bi-operator monotone functions to prove an interesting bound on weak coin flipping? 
Certainly not if we believe that we can achieve arbitrarily small bias. However we shall see that 
the spaces of bi-operator monotone functions and coin-flipping protocols are essentially duals. If 
there were no arbitrarily good protocols then we would be able to prove that fact using the above 
lemma. 
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2.2.2 Some more facts about operator monotone functions 



Operator monotone functions are well studied and a good reference on the subject is [Bha97j . As 
they are also central to the task of constructing coin-flipping protocols we collect here some of their 
most important properties which will be used throughout the paper. 

Our main interest are functions that map the set of positive semidefinite operators to itself. 
Therefore, when not otherwise stated, we assume all operator monotone functions have domain 
[0,00) and range contained in [0, 00). In general, though, operator monotone functions can be 
defined on any real domain. 

The space of operator monotone functions (on a fixed domain) forms a convex cone. If f{z) 
and g{z) are operator monotone then so are 

af{z)+bg{z) (32) 

for any a > and 6 > 0. Another simple property is that if f{z) is operator monotone on a domain 
(a, b) then for any c S M we have f{z — c) is operator monotone on (a + c, 6 + c). 

A very important function which is operator monotone on the domain (0, 00) is f{z) = —1/z. 
The proof is given byy>X>0^/> y-i/2xy-i/2 ^ / < (y-i/2j^y-i/2)-i ^ / < 
yi/2^-iyi/2 — y~i > —X~^. By shifting and restricting the domain we get 

m = ~ (33) 

which is operator monotone on [0, cxd) for A G (0, 00), though the range is negative. The range can 
be fixed by scaling and adding in the constant function to get 1 — = 

In fact, the above functions together with f{z) = z and f{z) = 1 span the extremal rays of the 
convex cone of operator monotone functions. More precisely, every operator monotone function 
/ : (0, 00) — > [0, 00) has a unique integral representation 

fiz) = ci + C2Z+ dw{X), (34) 

Jo ^ + z 

where ci,C2 G M are non-negative and dw{X) is a positive measure such that j^dw{X) < 00. 
In particular, they are infinitely differentiable. 

The general case, where the domain is the interval / = (a, b) C M, is nearly identical but with 
the integral ranging over —A S M \ I. When the domain is the closed interval [a, b] then functions 
must be operator monotone on (a, 6) and monotone on [a,b] so that /(a) < lim^^g^+ f{z) and 
/(6)>lim_,-/(z). 



2.3 Time Dependent Point Games 

In previous sections we have paired the honest probability distribution aA,i with the dual variable 
ZA,i- We have also paired the full honest state \ipi) with the operator ZA,i®I®ZB,i- These pairings 
have led to interesting results, but they can also become rapidly unwieldy because they contain too 
much information, such as a choice of basis. The goal of this section is to get rid of most of this 
excess information and strip the problem to a bare minimum that still contains the essence of coin 
flipping. 

The key idea for the following discussion is to use the honest state to define a probability 
distribution over the eigenvalues of the dual SDP variables. This idea is captured by the next 
definition. 
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Definition 9. Given Z = Yl,zec\g{Z) -^HW, a positive semidefinite matrix expressed as a sum of its 
eigenspaces, and a, a second positive semidefinite matrix defined on the same space, we define the 
function Proh{Z, a) : [0, c«) — >■ [0, cxd) as follows 

p(.) = P.„b(Z..) ^ M.)-!^!*'"! ^,!^'^<^'- (35) 

ID otherwise. 

Similarly, given a vector \tp) instead of a we define Prob(Z, : [0, oo) — > [0, oo) by 

pW=Prob(Z.|^)) ^ = |<^l"'"l*' ^^^''^(^»- (36) 

I L) otherwise. 

Note that by construction Prob(Z, ^ Prob(Z, 

We think of the above functions p{z) as belonging to the space of functions [0, oo) — *■ [0, oo) 
with finite support. The motivation for the construction is that given any function with arbitrary 
support f{z) : [0, oo) — > R we have 

p{z) = PToh{Z,a) J]p(2)/(2:) = IV[a/(Z)], (37) 

2 

where the sum on the left is over the finite support of p{z) . 

A similar construction can be used for the bipartite case. Take Zj^ = YIza ^^^^a^^ 

Zb = J2zb '^b^^b'^^ on B and on A<Si M <Si B and combine them to form the two-variable 
function 



/ (Vlnl^^l ^Im^ ng«] ZA e eig(Z^) and ZB e eig{ZB), 
P[ZA,ZB) — S _ .1 • v-JOj 

I otherwise, 

which we will denote by Prob(Z^, Zb, \tp))- 

Often it will be useful to use an algebraic notation when describing functions with finite support. 

For single- variable functions p{z) with finite support we introduce a basis {[zi]} of functions that 
take the value one at Zi and are zero everywhere else. For instance, a function with two nonzero 
values p{zi) = c\ and piz'i) = ci can be written as 

^? = Ci[zi] + C2[Z2]. (39) 

Similarly, for the bipartite we use {[a:;,y]} as basis elements for the functions p{x,y) with finite 
support. For instance, the initial state Prob(Z^,05 Zb,o, IV'o)) of a UBP always has the form 

l[P,a]. (40) 

On the other hand, because ZA,n = ^A,i and Zb^h = ^B,o are just the projections onto the 
opposing player's winning space, the final state Prob(Z^^n) -^s.n) iV'n)) of a UBP always has the 
form 

Pb[1,0]+Pa[0,1] (41) 
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as can be verified from Eq. Note, however, that the label on n^^o refers to the coin outcome 
and not the associated eigenvalue. Because Zs^n = ^^B,o + 011^ i, the projector onto the one 
eigenvalue of ^ 

is given by 11^' = n^^o and similarly 11^^ = n^^i. 

In fact, given a UBP we can compute for every i the functions Proh{ZA,i, ZB,i,\ipi)), which 
allows us to visualize the UBP as a movie of sorts where at each time step there is a finite set of 
points in the plane. The points move around between time steps according to some rules which 
we will determine in a moment. We call these sequences point games and we shall show that they 
contain all the important information about UBPs. 

One important convention that we introduce, though, is that point games are always described 
in reverse time order. Henceforth, we will refer to Eq. ()4ip as the first or t = point configuration 
whereas Eq. (j40p will be referred to as the last or t = n point configuration. More generally, the 
point configuration at t = i will be constructed from the operators ZA,n-i, Zs^n-i and iV'n-i)- 

The motivation for reversing the time order is as follows: first we get to begin at a known 
starting configuration such as 0.5[1,0] + 0.5[0, 1] (for the main case of interest Pa = Pb = 1/2). 
From there, we can move the points around following the rules of point games until they merge 
into a single point at some location [/?, a]. We can do this without fixing in advance the number of 
steps, but rather using the existence of a single point as an end condition. The sequence of moves 
will then encode a UBP with upper bound (/?, a). 

So what are these rules for moving points around? Let begin with the one-variable case and 
examine a transition between Pi{z), constructed from ZA,n-i and aA,n-i, and pi+i{z), constructed 
from ZA,n-i-i and aA,n-i-i- A necessary condition is 

^Pi(^)/(^)< (42) 

z z 

for every operator monotone function /, where again the sums range over the finite supports of the 
respective probability distributions. 

The condition is trivially necessary on the time transitions when Bob acts and Alice does 
nothing because then pi = Pi+i. To prove that the condition is necessary for the non-trivial tran- 
sitions recall the usual relation ZA,n~i-i ^ Im ^ „_j(-^A,n-i ® lM)UA,n-i- Also let dA,n-i-i = 

TrB[|V'n-j-l)(V'n-j-l|] SO that aA,n~i-l = Tr;K[o-A,n--i-l] and (TA,n-i = Tr;^![f^A,n-iO-A,n-i-lf^jl^„_j] 
and therefore 

'^Pi{z)f{z) = i:i[aA,n-if{ZA,n~i)]=^[^A,n-i~lf{UA^^_^ZA,n-i® lMUA,n-i)] (43) 

2 

< Tr[a-A,n-j-i/(^A,n-i-i ® Im)] = Tr[fTA,n-i-i/(-^A,n-i-i)] = y^_^Pi+i{z)f{z). 

z 

Sadly, there are no sufficient conditions that can be derived just by looking at one side of the 
problem. Nevertheless, it will be useful to define the transitions that satisfy the above constraints 
as the valid set of transitions, as this notion will be used as a building block when studying the 
more complicated bipartite transitions. 

Definition 10. Let pi{z) and pi+i{z) be two functions [0, cxd) [0,oo) with finite support. We say 
Pi{z) pi+i{z) is a valid transition ifJ2zPii-^) ~ Sz^^«+i(-2^)' ^''^^ for every operator monotone 
function f we have 

5]K(^)/(^)<5]mi(^)/(^)- (44) 

z z 
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Furthermore, we say that the transition is strictly valid if YlzP'i'i'^)fi'^) YlzP'i+'^i'^)f(^) /^^^ 
every non-constant operator monotone function f. 

For reasons to become clear below, we do not restrict the functions Pi{z) and Pi^i{z) to sum to 
one. However, we do require that their sum be equal so that probability is conserved. 

Because we have a characterization of the extremal rays of the cone of operator monotone 
functions, it is sufficient when checking for valid transitions to use the set of functions f\{z) = 
for A € (0,00). As for the other two extremal functions, the constraint from f{z) = 1 is 
independently imposed as conservation of probability, and the constraint from f{z) = z follows 
from the limit A ^ 00 of f\{z). It is worth stating this explicitly: 

Lemma 11. Let pi{z) and pi+i{z) be two functions [0, cxd) [0,oo) with finite support. The 
transition Pi{z) — >■ pi-^-l(z) is valid if and only if — pi{z)) =0 and for every A G (0, 00) 

we have J2z ~ Pii^)) - ^■ 

Not surprisingly, a set of necessary conditions for bipartite transitions constructed from UBPs 
is that 



for every bi-operator monotone functions /, where as usual the sums are over the finite support of 
the respective probability distributions. Unfortunately, the space of bi-operator monotone functions 
is not as well characterized as the space of operator monotone functions, and therefore it would be 
better to have a set of conditions that are constructed from the latter: 

Definition 12. Let pi{x,y) and pi^i(x,y) be two functions [0, 00) (JD [0, 00) [0, 00) with finite 
support. We say pi(x,y) pij^i{x,y) is a valid transition if either 

1. for every c G [0, 00) the transition pi{z , c) pi+i{z,c) is valid, or 

2. for every c G [0, 00) the transition Pi{c, z) — ^ Pi+i{c, z) is valid, 

where as before Pi{z,c) is the one-variable function obtained by fixing the second input. We call the 
first case a horizontal transition and the second case a vertical transition. 

The first case occurs when Alice applies a unitary and the second case when Bob applies a unitary. 
As opposed to the single variable transitions, the bipartite condition of validity is not transitive. 
However, we can define the notion of transitively valid for two functions if there is a sequence of 
functions beginning with the first one and ending with the second one, such that each transition 
is valid. The main object of study for this section will be transitively valid transitions of the form 
Pb [1,0]+ Pa [0, 1] — > 1[P, a], where we always assume Pa,Pb >0 are some fixed numbers such that 



Definition 13. A time dependent point game (TDPG) is a sequence po{x,y), ... ,pn{x,y) 
of functions [0,oo) [0, 00) [0, 00) with finite support, such that every transition pi{x,y) — > 
Pi+i{x,y) is valid and such that the first and last distributions have the form 




(45) 



Pa + Pb = 1. 



Po = Pb[1,0]+Pa[0,1] 



and Pn = 1[P, a]. 



(46) 



We say that [P, a] is the final point of the TDPG. 
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The above definition can be extended to games beyond coin-flipping which have many possible 
outcomes. If outcome i has honest probability qi, and pays Oj > to Alice and 6^ > to Bob, 
the same formalism applies if we use as starting state po = ctj]- This paper will focus 

exclusively on weak coin- flipping though. 

Our first task will be to prove that given a UBP with bound (/?, a) we can build a TDPG 
with final point [/?, a]. We have already done most of the work by constructing the probability 
distributions out of the UBP and showing that they have the right initial and final states. What 
remains to be shown is that the transitions pi{x,y) — > pj+i(x,y) are valid. 

We focus on the transitions when Alice applies a unitary, the other case being nearly identi- 
cal. Given a UBP, we construct the distribution pi = Fi:oh{Z A,n-i, ZB,n-i, |V'n-i)) and the distri- 
bution = Vvob{ZA,n-i-i-, Zs^n-i-i-, iV'n-i-i))- The UBP Operators satisfy the usual relations 

ZA,n-i-l®lM > U\^^_-{ZA,n-i®lM)UA,n-i, ZB,n-i-l = ZB,n-i and IV'n-i) = UA,n-i^ lB\lpn-i-l) ■ 

We expand the state \ijjn-i-i) as 



where \y) are normalized eigenvectors of Zs^n-i and {(py) are non-normalized states on ^ ® Ai. 
Because this is not necessarily a Schmidt decomposition, the vectors {(py) are not necessarily or- 
thogonal, however this will not be a problem. The key idea now is to note that given a fixed y, the 
function = FToh{ZA,n~i~i, Pn~i-i,y) where Pn-i-i,y = Tr M[\4>y){4>y\]- Similarly, the func- 

tion Pi{x,y) = Fioh{ZA,n~i, Pn-i,y) where Pn^i,y = TrM[UA,n-i\4>y) {4>y\UA^n_i]- ^^^^ relationship 
between these quantities is the same as it was the analysis of one-sided probability transitions, and 
the proof of Eq. (|l3|) goes through with pn~i-i,y, Pn-i,y and \(py){4>y\ taking the place of aA,n-i-i-, 
(TA,n-i and aA,n-i-i- Therefore, for every y £ [0, oo) the transition pi{x,y) — > is valid 

and therefore the full transition pi{x,y) — > pi+i{x,y) is valid as well. 

We have just proven that given a UBP with bound {(3, a) we can construct a TDPG with final 
point [/?, a]. The converse is also true in the following sense: given any TDPG with final point 
[P,a] and an e > there exists a UBP with bound (/? + e,a + e). This is enough because we are 
only concerned with infimums, and the infimums over both sets will be equal. Constructing UBPs 
from TDPGs will require a fair amount of work to be done in the next couple of sections. Some 
readers may prefer to first study the TDPG examples in Section [3l 

2.3.1 Coin-flipping protocols with projections 

The description of the coin-flipping protocols built from TDPGs will be greatly simplified if we 
can use measurements at intermediate steps throughout the protocol. Of course, there is nothing 
special about protocols that involve measurements, as these can always be delayed to the last step. 
However, doing so requires simulating the measurement with a unitary and keeping the simulated 
outcomes in some extra qubits, which adds extra complexity to the description of the protocol. 
Early measurements can result in significant improvements in the description of a protocol and the 
number of qubits employed. An example of this is given in Appendix |A] which takes the author's 
original bias 1/6 protocol requiring arbitrarily many qubits and reduces the space used to a single 
qutrit per player plus a single qubit for messages. 

In fact, for such simplifications we need only allow a special kind of projective measurement: 
at certain steps the players will use a two outcome POVM of the form {E,I — E}, where E is a 




(47) 



y 
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projector (i.e., E"^ = E"^ = The protocol will be set up so that if both players play honestly 
the first outcome will always be obtained, and if the second outcome is observed the players will 
immediately abort (at which point they can declare themselves the winner) . We will place one such 
projection immediately after each unitary. 

The goal of this section is to formalize the needed notion of protocols with projections, describe 
their dual feasible points, and show how they are equivalent to regular protocols. It can be safely 
skipped by those familiar with the result. 

Definition 14. A coin-flipping protocol with projections is a coin-flipping protocol with the 
addition of n projection operators Ei, . . . ,En of the form 



such that Ei\ipi) = for every i = 1, . . . ,n 

The protocol is implemented as before, except that immediately after implementing Ui the acting 
player measures using {Ei, I — Ei} and aborts on the second outcome. 

To prove the equivalence of protocols with and without measurements, not only do we need 
to construct a canonical unitary-based protocol for every protocol with measurements, but we 
also need to show that the new protocol does not allow for any extra cheating. This is done by 
constructing a canonical map from the dual feasible points of the protocol with measurements to 
the dual feasible points of the unitary protocol such that the upper bounds are preserved (or at 
least come arbitrarily close to each other). Effectively, we aim to construct a map from "UBPs 
with measurements" to regular UBPs. As most of the constructions are fairly standard, we will 
only sketch the details. 

As usual we focus on the case of honest Alice and cheating Bob. The primal SDP requires 

pAfl = \i^Afl){ipAfl\, PA,i = PA,i-i for i even, and P^i„ = Tr [n^.iPA.n] as before. However, the new 
element is that for i odd we have 



The trace of pA,i is no longer unity but rather it encodes the probability that we have reached step 
i without aborting and pA,i/ Tr[p^^j] is the state at step i given that no aborts have occurred. The 
inequality on the right equation allows for Bob to abort, though it is certainly never optimal for 
him to do so. 

The dual SDP has as before ZA,n = n^,i, ZA,i-i = ZA,i for i even, and /3 = {iPa,o\Za,o\i/ja,o) 
but now for i odd we impose the condition 



Given a protocol with projections and a dual feasible point let us build a unitary protocol with 
a matching dual feasible point. We will put primes on all expressions of the new protocol that differ 
from the one with measurements. 

The number of rounds and the message space will be the same, but we will add n qubits to 



both A and B so that A' = (C^)®" (g, A and B' = B (g> (C^)^". These extra qubits will store the 
measurement outcomes (though technically we only need ra/2 qubits on each side). The new initial 




EA,i <X) Ib for i odd, 
I A ® EB,i for i even, 



(48) 



PA,i = T^M EA,iUA,iPA,i-lU\ -EA,i , for T^M PA,i-l < PA,i-l- 



(49) 



ZA,i-l ®Im> UA^iEA,i iZA,i <8) Im) EA,iUA,i 



(50) 
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state will set all the new qubits to zero IV'ao) ~ 1^) l^^.o) ^^(^ I^bo) ~ IV-'s.o) 'iS' |0), and when 
playing honestly they will always remain zero. The final projectors only give the victory to the 
other player if all the extra qubits are zero so that 11^ ^ = |0)(0| I^A,l and H'^ q = / — 11^ ^ and 
similarly II'^q = IIb^o ® |0)(0| and 11'^ ^ = I — H^q. Finally, the new unitaries simply simulate a 
measurement after applying the regular operation 

U'A^i = MA,i {I ® UA,i) for i odd, (51) 

U'e^i = MB,i {UB,i /) for i even, (52) 

where Ma^z and Ms^i are controlled unitaries with target given by the original A (or B) and new 
qubit number i and control given by the other n — 1 new qubits. The matrices acts as the identity 
unless all the n — 1 control qubits are zero, in which case they apply the operation 

where the blocks correspond to the computational basis of new qubit i. 

It is not hard to check that the new protocol is indeed a valid coin-flipping protocol and that 
the honest probabilities of winning Pa and Pb are the same as in the original protocol. 

Now we take a dual feasible point for the original protocol and fix e > 0. We will construct a 
dual feasible point for the new protocol with = /9 + ne. For i even define 

ZA,i = |0) (0| ® {ZA,i + {n- i)el) + KFi, (54) 

where Fj is a projector onto the space such that at least one of the new qubits labeled i + 1 

through n is non-zero, and Aj > is a constant to be determined in a moment. By construction 

^An = '^^A,n = n^.i 1^' = (V'a.oI^a,oIV'a,o) = (V'Aol ^Ao + V'A.o) = /3 + ne as required. 
We can also set = Z'j^ ^ for i even, so that the only constraint that remains to be checked is 

Z'A,i-2 ®Im> U'A,i-i^ {Z'A,i ® Im) U'A,i^,. (55) 

We will describe a decomposition A' = Hi ® 'H2 ® ® H4 such that both sides of the above 
inequality are block diagonal with respect to it, and therefore we can check the inequality on each 
block separately. The decomposition is obtained by looking at the n new qubits of A' from last 
(qubit n) to first (qubit 1) and picking out the first non-zero qubit. 

• Hi contains vectors where the first non-zero qubit is one of i -|- 1, . . . , n. 

• H2 contains vectors where the first non-zero qubit is either i — 1 01 i, but excluding the vector 
where qubit i — 1 is the only non-zero. 

• H3 contains vectors where the first non-zero qubit is one of 1, . . . , z — 2. 

• H4 contains the space where all new qubits are zero or where all qubits but qubit i — 1 are 
zero. 

On Hi we have Fi_2 = = / so the inequality reads Aj_2/ > Aj/, and is satisfied so long as Aj 
is a decreasing sequence. On H2 we have Fi-2 = I and Fj = so the inequality reads Aj_2/ > 0. 
On 7^3 we have Fi_2 = Fj = so the inequality reads > 0. Finally, Ha is the only space on which 
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MA,i-i acts non-trivially. Writing X = ZA,i-2 (X" Im + {n — i + 2)el and Y = Za,% ® Im + {n — 
and using U = UA,i-i, E = EA,i-i we need to check the block diagonal inequality 

fx \ fU^ ()\f E I-E\fY (}\f E I-E\fU 0\ 

VO Ai_2/y - \0 Uy\I-E E J \0 o)\I-E E ) \0 u) 

_ / U'fEYEU U''EY{I-E)U \ 

~\U\I-E)YEU U\l - E)Y{I - E)U) ' 

From the constraints on the original dual feasible point wc had ZA,i-2(^lM ^ E{ZA,i0lM)EU = 
U^EYEU — (n — i)eE and therefore X > U'^ EYEU . In turn, this implies that for sufficiently large 
Aj_2 the whole matrix inequality holds, and then we just need to make sure that Aj_2 is also larger 
than Aj. We have not specified yet A„ but this one can be chosen to be zero as it effectively never 
appears anywhere. That concludes the proof of the equivalence of protocols with and without 
projective measurement. 



2.3.2 Compiling TDPGs into UBPs 

We had previously shown how to construct a TDPG out of a UBP. In this section we will describe 
the reverse construction, thereby proving TDPGs and UBPs equivalent. 

Wc assume that all transitions in the given TDPG alternate between horizontal and vertical 
(i.e., if we have a sequence of two valid horizontal transitions we can combine them into a single 
valid transition by removing the middle step). We also assume that the first transition pQ — > pi 
is vertical and the last one Pn-i — >■ Pn is horizontal (which can be accomplished by adding trivial 
transitions at the beginning or end). All TDPGs obtained from UBPs have this form. 

We will also need to assume that in the given TDPG all non-trivial one- variable transitions are 
strictly valid. This is justified by the following lemma. 

Lemma 15. Given any TDPG po, . . . ,pn with final point [/?, a] and an e > 0, there exists a second 
TDPG qo, ■ ■ ■ ,qm with final point [/3+e/2, a+e/2] such that every non-trivial one-variable transition 
is strictly valid. 

Proof. We construct the new TDPG by shifting up (or left) each set of points in qi relative to its 
predecessor. More specifically let [i/2] and [i/2j be i/2 rounded up and down respective. There 
are respectively the mimbcr of vertical and horizontal transitions that have occurred to reach pi. 
Now define the new TDPG by 



i{x,y) =Pi{x 



e 

-,y 

n 



(56) 



The final point is [/? -|- |, a -|- |] as required. Also each non-trivial transition is now strictly valid: 
for instance, if qi qi+i is a horizontal transition and y G [0, oo) such that ^^^^(-z,?/) 7^ 0, then 
(using y' = y-\^]fi) 



= ^Pi+iiz,y)f{z + 

z 

> ^Pi+iiz,y^)f{z + 



n n 



n 



> 



^Pi{z,y)f{z + 



n' 



(57) 

Y.p[{z.y)f{z) 
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for every non-constant operator monotone /. The first inequality follows because non-constant 
operator monotone functions are strictly monotone and the second because f{z + c) is operator 
monotone for c > 0. □ 



The next step in our argument relies on two lemmas which we state below and prove in Appendix [Cl 
They are the essential ingredient which takes pairs of functions, such as those in a TDPG, and 
compiles them back into the language of matrices. 

Lemma 16. Let p{z) and q[z) he functions [0, oo) [0, oo) with finite support. If p{z) q{z) 
is strictly valid then there exists positive semidefinite matrices X and Y and an (unnormalized) 
vector such that X <Y , p = Prob(X, |^)) and q = Prob(y, \ 

Lemma 17. The matrices X and Y in Lemma\T^ can he chosen such that 

1. The spectrum of X is equal to {0} U S{p), with all non-zero eigenvalues occurring once. 

2. The spectrum ofY is equal to {A} U S{q), for some large A > 0, with all other eigenvalues 
occurring once. 

3. The dimension of X and Y is no greater than \S{p)\ + \S{q)\ — 1. 
where S{p) and S{q) are respectively the supports of p and q. 

Because we are now assuming that every non-trivial one-variable transition is strictly valid, 
we can use Lemma [16] to turn the transitions into matrices from which we will extract unitaries. 
However, first we need to standardize the Hilbert space on which all of these matrices are defined. 

Let us fix a finite set S of non-negative numbers, and assume we are given a strictly valid 
transition p ^ q such that the supports of both p and q are contained in S. What we want to 
argue is that we can choose X and Y of Lemma [TBI so that their spectrum is exactly S (union zero 
for X or union some large value A for Y) and such that the only degenerate eigenvalues are zero 
for X and A for Y . 

The argument is simple, we start with X and Y satisfying the requirements of Lemma [171 If 
the A appearing in Y is not larger than the maximum of S we can simply increase it. Now we just 
start appending in the missing eigenvalues from S one at a time (increasing the dimension of the 
matrices by using a direct sum). If some value c G is in X but not in Y we can append it to Y if 
at the same time we append a zero to X. Similarly if c G S" is in y but not in X we can append it 
to X if at the same time we append an extra A eigenvalue to y. If c G S" appears in neither matrix 
we append it to both at the same time. The dimension of the new matrices so constructed is no 
larger than 2|S'|. The dimension can be made exactly equal to 2|S'| by appending in extra zeros to 
X and As to Y. 

To extract unitaries from these matrices, note that given any basis, we can find a unitary U 
such that UXU'^ is diagonal and has non-negative coefficients with respect to this basis. In 

particular, if we choose the basis that diagonalizes Y and such that \tp) has non- negative coefficients, 
then we can find such a unitary U and get 

Yd > U^XdJ, (58) 

where Xd and Yd are diagonal in the computational basis with the same spectrum as X and Y 
respectively. Additionally, by construction the non-negative coefficients in the computational basis 
must have the form \'tjj) = ^/(^i\i) and U\tjj) = Putting everything together, we obtain 

the following rather surprising lemma. 
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Lemma 18. Let S be a finite set of non-negative numbers. Let p ^ q be a strictly valid transition 
such that the support of both p{z) and q{z) are contained in S. Let 7i be the Hilbert space spanned 
by s) : i £ {0, 1}, s G S"} and define 

Z = ^s|0,s)(0,s|. (59) 

Then there exists a sufficiently large number A > and a unitary U such that 

U^Vq(s)\0,s) = ^y^p{s)\0,s) and Z + APi > ZU, (60) 

where Pi = |l,,s)(l,s| is the projector onto the space where the first qubit is one. 

Note that the result is non-trivial. If p — > g is not valid then no such unitary exists. 

In the protocol below we will essentially be able to choose all our dual operators equal to 
^^g^ s|0, s)(0, s| + APi. We then use our projective measurements to reset the eigenvalue A to 
zero on every transition so we can apply the above lemma. The unitaries, though, require more 
care. During every bipartite transition pi(x,y) — > pj+i(x,y) we have many one- variable strictly 
valid transitions pi{x,y) — > pi+i{x,y) during Alice's turn (or Pi{x,y) — > Pi+i{x,y) during Bob's 
turn), each of which defines a different unitary in the above lemma. What Alice needs to do on her 
turn is to apply a block diagonal unitary with each block corresponding to a different strictly valid 
transition. In other words she needs to be able to apply a controlled unitary with control given 
by Bob's state. That is what the messages are used for. Bob will store his state in an entangled 
subspace of (E> ^ so that Alice can use it as control but not change it too much. Similarly, Alice 
will store her state in an entangled subspace A<^M so that Bob can access it. This construction 
is similar to one used in |KMP04] . 

We are now ready to construct the protocol. Fix a TDPG by po,... ,Pn with strictly valid 
transitions and final point [/?, a]. The protocol will be defined with the same n representing the 
number of messages. 

To define the relevant Hilbert spaces let Sa (resp. Sb) be the finite set of x coordinates (resp. y 
coordinates) of points that are assigned non-zero probability by Pi{x, y) for some i. By construction 
0, 1, /3 G Sa and 0, 1, a G Sb- Set 

A = span{|i,Sa) : i G {0, l},Sa e -Sa}, (61) 
M = span{|sa,Sfe) : Sa G 5^,56 G ^b}, (62) 
B = span{|sb,i) : Sfe G G {0, 1}}. (63) 

It will ocassionally be useful to write M. = A' ® B' where A' = span{| Sa) : Sa G Sa} and B' = 
span{|s6) : Sh G Sb]- 

The initial states will be 

IV'ca) = |0,/3), |Vo,M> = |/3,a), |Vo,B> = |a,0). (64) 

The projections that follow the unitaries will have the form 

EA, i = EA = ^ \^,Sa){^,Sa\®\Sa){Sa\® Ib', (65) 

EB, i = EB = ® ^ |sfe)(sfe| ® |s6,0)(sf,,0|, (66) 
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where EA_,i is defined for i odd and Es^i for i even. Basically acts on A<Si M and ensures that 
the first qubit is and the registers Sa in A and Ai agree. 
The final measurement operators will have the form 

Ha,! = |0,1)(0,1|, nB,o = |1,0)(1,0| (67) 

with Haa = I ~ n^,! and 11^,1 = I — q- 

All that remains is to describe the unitaries, which will be done in a moment. The unitaries 
are to be chosen so that the honest state during the zth messages is 

= X] \/pn-i{Sa, Sb) |0, Sa) \Sa, Sb) O |sb, 0), (68) 

where we remind the reader of our "reverse time" convention of TDPGs relative to protocols. The 
above definition agrees with our choice of initial state IV'o)- It is also easy to see that the projection 
operations that follow the unitaries will always succeed if both players are honest. Finally, we have 
IV'n) = Pb\0, 1, 1, 0, 0, 0) + Pa\0, 0, 0, 1, 1,0) so Alice and Bob will agree on the coin outcome, which 
will have the required probability distribution. 

Before defining the unitaries, we fix a single A > larger than all elements of Sa and Sb and 
large enough so that all the strictly valid transitions in the given TDPG can be turned into unitaries 
satisfying the constraints of Eq. (f60|) . 

To construct the unitaries for Alice it is useful to define the subspace A C A <Si A' given by 
A = {\i,Sa,Sa) : i € {0,1}, Sa £ Sa} and let P^ be the the projector onto the complement of A 
in Ai^ A' . Let i be odd so that W6 can build. Uj^^i out of th.6 horizontal transition Pn—i — ^ Pn— i+i* 
The unitary will be block diagonal of the form 

UA,i= Yl {Ua^ + PA)'^\'b){sb\, (69) 

where U^f can be viewed as a unitary operator on A. li pn-i{sa, S),) = Pn-i+i{sa, Sb) then we 
choose U^A^ ~ ^ otherwise Pn-i{sa, Sb) Pn-i+i{sa, Sb) is strictly valid and by Lemma [TBI we can 
choose U^''^_^ on A such that 

Za + APi > U^^fzAU^A^i (70) 

for Za = Sa\0,Sa,Sa){0,Sa,Sa\, Pi = \l, Sa, Sa) {I, Sa, Sa\ and SUch that 

Sa, Sa) — \/pn-i{Sa, Sb)|0, Sa, Sa 

)■ (71) 

We can now directly verify the equation UA,i ® -^el^j-i) = IV'i) with states given by Eq. (j68p . The 
unitaries U B,i for Bob are defined analogously, and otherwise we have completed the description of 
the coin-flipping protocol associated to the TDPG. 

What remains is to describe dual feasible points for the above protocol that prove the bounds 
Pa < Oi and < j3. If we define the operators 

Za = ^Sa|0,Sa)(0,Sa| +A^|l,Sa)(l,Sa| (72) 

Sa Sa 

Zb = J^Sb|0,S6)(0,S6|+Aj^|l,Sb)(l,Sb| (73) 

Sb Sb 
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on A and B respectively. The desired dual feasible points are given by ZA,i = Za and Zs^i = Zb 
for all i except that we must set ZA,n = -^A.n-i = ^A,i and Zb^u = ^B,o as required by our slightly 
inflexible definitions. As usual, we will only verify the case of Alice honest and Bob cheating as the 
other case is nearly identical. 

We trivially have Za,o\iPa,o) = Pl'ipAfi)- The main constraint that we need to verify is 

Zaa-I <S)Im> U\^^EA {ZA,r ® Im) EaUa^i (74) 

for i odd. The special case of z = n — 1 will be proven if we show that the above inequality holds 
with ZA,n-i = Za because Za > ^a,i and inequalities are transitive. 
First we note that in all cases 

Ea (Za,! ^ Im) Ea = Za® h' = ^ Sa|0, Sa, Sa)(0, Sa, Sal ® Ib', (75) 

Sa 

where Za has support on A. The unitary C/^.i rnaps ^ (8) i3' to itself, so the right hand side of 
Eq. (f71]l has support on A<Si B' . The operator ZA,i-i tX" Im is block diagonal with respect to the 
decomposition of A<SiAi into A<SiB' and its complement, and so the inequality is trivially satisfied 
in the latter space. In A<^ B' what remains to be shown is 

Za + AY, \'^,Sa,Sa){l,Sa,Sa\ \ (^Ib' >Uli{ZA<^IB')UA,^= Yl U^lfzAU'^)^(®\st){sb\ 

Sa&SA ) Sf,GSB 

(76) 

and the inequality follows from the definition of U^f . 

What we have proven is that we can take a TDPG with strictly valid transitions and final point 
[P,a] and turn into a UBP with projections with bound (/?,«). However, in the last section we 
proved that UBPs with projections come arbitrarily close to regular UBPs, and at the top of this 
section we proved that TDPGs with strictly valid transitions come arbitrarily close to any arbitrary 
TDPGs. Therefore, we have proven that TDPGs are equivalent to UBPs, which we state formally 
as an extended version of Theorem [H 

Theorem 19. Let /(/?, a) : M x M — > R 6e a function such that f{a', (3') > f{a, (3) whenever a' > a 
and (3' > (3, then 

inf f{P*B,P*A) = inf /(/3,a) = inf /(/3,a), (77) 

proto UBP TDPG 

where the left optimization is carried out over all coin-flipping protocols, the middle one is carried 
out over all upper-bounded protocols, and the right one is carried out over all time dependent point 
games. 

Note that the above construction of a UBP out of a TDPG is not optimal in terms of resources. 
In particular, in most cases the number of qubits needed could be drastically reduced. It is also 
not in general true that if we start with a UBP, translate it into a TDPG and then construct from 
it a UBP we will end up with the same one. In fact, given two UBPs with the same underlying 
protocol but different dual feasible points, if we converted into TDPGs and then back into UBPs, 
the resulting protocols will be radically different! 
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3 The illustrated guide to point games 



The purpose of this section is to build an intuition about point games. In the first part of the 
section we will classify a few of the simplest valid transitions. These moves will be part of a basic 
toolbox of transitions that will be used throughout the paper. 

In the second part of this section we use our basic moves to build some simple coin-flipping 
protocols, all described in the language of TDPGs. The examples include the bias l/\/2 — 1/2 
protocol of Spekkens and Rudolph [SR02b] and the author's bias 1/6 protocol |Moc05j . 

In this section we will make extensive use of the basis for functions with finite support introduced 
in the last section. In particular, we use [z] to denote a one variable function that evaluates to one 
at a fixed point z, and is zero everywhere else. We also use [x, y] to denote a two-variable function 
that is one at (x, y) and zero everywhere else. 

3.1 Basic moves 

We aim to systematically describe all non-trivial one-variable valid transitions of the following 
forms: one points to one point, two points to one point and one point to two points. The latter two 
respectively generate all transitions of the form n points to one point and one point to n points. 

Nevertheless, these will not form a complete basis of all valid transitions. Even two point to 
two point transitions contain moves that cannot be generated by the above set. Ultimately, the 
most concise description of the set of all valid transitions is as the dual to the cone of operator 
monotone functions. 

3.1.1 Point raising 

All possible one point to one point transitions have the form 



where we have already imposed the constraint of probability conservation, and we assume p > 0. 
We now need to impose the constraints pf{z) < pf{z') for all operator monotone functions. Using 
f{z) = z we have obtain the necessary condition 



It is also sufficient because all operator monotone functions are monotonically increasing. 

When working in a bipartite case we see that p[x, y] — > p[x' , y] is valid if and only if x < x' (and 
similarly with p[x, y] p[x, y'] and y < y'). More generally, p[x, y] — > p[x' , y'] is transitively valid if 
and only if x < x' and y < y' . In simpler words: we can always move points upwards or rightwards 
but not downwards or leftwards. We will call these moves point raising (even when we are moving 
rightwards) . 

Note that the presence of extra unmoving points does not affect any of the one variable transi- 
tions. The transition p[z] — > p[z'] is valid if and only if p[z] + J2iPi[^i] ~^ pW] + YliPii^il valid 
(where ^^iPiizi] is any other set of points with positive probability). 



p[z] -^p[z'], 



(78) 



z < z . 



(79) 
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3.1.2 Point merging 



All possible two point to one point transitions have the form 

Pl[zi] +P2[Z2] {Pl +P2)[z']- 



(80) 



where we have already imposed the constraint of probability conservation, and we assume pi > 
and p2 > 0. We now need to impose the constraints Pif{zi) +P2f{z2) < (pi +P2)f[z') for all 
operator monotone functions. Using f{z) = z we have obtain the necessary condition 



Pizi +P2Z2 

Pl +P2 



< z'. 



(81) 



It is also sufficient because operator monotone functions are concave (a property that can be checked 
directly on the extremal functions f{z) = for A G (0, 00)). 

When equality holds in Eq. (j81|) we call the move point merging. The more general case is 
simply generated by point merging followed by point raising). In simpler words: point merging 
takes two points and replaces them with a single point carrying their combined probability and 
average z value. 

For n points merging into one point it is easy to see that we must conserve probability and 
average z (or strictly speaking average z cannot decrease). But this exact final configuration can 
be achieved using a sequence of pairwise point merges with a possible point raising at the end. 

For the bipartite case, the transition 



Pi[xi,y\ +P2[x2,y\ (pi +P2) 



Pixi +P2X2 

PI+P2 



<y 



(82) 



is clearly valid, and similarly with x and y interchanged. However, it does not follow that the 
transition 0.5[0, 0] +0.5[1, 1] 1[0.5, 0.5] is transitively valid. In fact, the proof of the impossibility 
of strong coin flipping is a proof that . 5 [0 , 0] + . 5 [1 , 1] '^[z,z\ is transitively invalid if z < 1 / ^/2. 



3.1.3 Point splitting 

All possible one point to two point transitions have the form 

{Pl+P2)[z]^pi[z[]+P2[z'2l (83) 

where we have already imposed the constraint of probability conservation, and we assume pi > 
and p2 > 0. We now need to impose the constraints (pi + P2)f{z) < pif{z[) + P2f{z2) for all 
operator monotone functions. In particular, for A G (0, 00) the inequality is satisfied for f(z) = 
= A(l — if and only if it is satisfied for f{z) = —j^- If none of the points are located at 
zero, then we can take the limit A — > and the inequality must still be satisfied. In other words, a 
necessary condition is 

_Pl±Pl<_Pl_Pl, (84) 

Z Zi Z2 

It is also sufficient. Let w = 1/z and assume the above inequality holds, then verifying the original 
constraint with f(z) = —-rr- is equivalent to verifying (pi + P2)g(w) < (pi + p2)g( ^^"'^1]^^"'^ ) < 
Pig{w'i) +p2g{w2) with g{w) = — i_^xw ■ inequality holds because g{w) is monotonically 
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decreasing and the second inequality holds because ^(w) is convex. The special case of f{z) = z 
follows by considering the limit A — > oo of /(z) = 

When equality holds in Eq. (|84p we call the move point splitting. In simpler words: point 
splitting takes a point and replaces it with two points such that the total probability and average 
l/z is conserved. All one point to two points valid transitions can then be generated by point raising 
followed by point splitting. Similarly, all one point to n point valid transitions can be generated by 
point-raising and a sequence of one-to-two point splittings. 

The above arguments hold provided none of the points is located at zero. If either z[ = or 
^2 = it is not hard to verify that we must also have z = 0. If z = all valid moves can be 
generated first by splitting the point into two points located at zero and then using point raising 
to move them to the required destination. In fact, we allow this type of point splitting anywhere: 
we can always replace a point at z with probability p with two points at z and probabilities that 
add to p. 



3.1.4 Summary 

Lemma 20. The following are valid transitions: 
• Point raising 

p[z] p[z'] (for z < z'). (85) 



Point merging 



Pl[zi] +P2[Z2] {Pl +P2) 



Pi +P2 



(86) 



Point splitting 



{Pi + P2) 



Pi +P2 
piw'^ +P2W'2 





' 1 ■ 




' 1 " 


-^Pl 




+ P2 






M 







(87) 



3.2 Basic protocols 

The simplest of all protocols are the ones when one player flips a coin and tells the outcome to the 
other player. If Alice is in charge of flipping the coin we get the TDPG 



^[1,0] + ^[0,1] 



1 



1 



:,1 



where the first move is point raising and the second is point merging. Similarly, if Bob is in charge 
of flipping the coin we get 



^[1,0] + ^[0,1] 



^[1,0] + ^[1,1] 



1 



1 



(89) 



These are graphically illustrated in Fig. [3J 

Note that in the second protocol Bob sends the flrst non-trivial message (equivalently, the final 
move is vertical). Whereas for UBPs we enforced the constraint that Alice always sent the first 
message, for TDPGs we will let the first message be sent by whomever it is convenient. 
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1 

1/2. 



1/2 1 



Figure 3: The two trivial protocols where Alice (left) or Bob (right) flip a coin and announce the 
outcome. 



To assign some meaning to the abstract operations we can think of point merging as occurring 
when a player flips a coin and announces the outcome to their opponent (recall the reverse time 
convention, in regular time point merging occurs first and makes two points out of one). Point 
raising does not correspond to any physical operation, but rather to one player trusting or at least 
accepting the state provided by the other player. 



3.2.1 The Spekkens and Rudolph protocol 

Fix X e (1/2, 1). Consider 



^[1,0] + ^[0,1] 



2x-l 
2x 



2x-l 
2x 



X,0 



X,0 



+ 



+ 



1-x 
2x 



1-x 
2x 



1-x' 



I [0,1] 
^[0,1] 



(90) 



2x-l 
2x 



X,0 



X, 1 



1 



2x 



The TDPG is the sequence: split, raise, merge, merge. It is illustrated in Fig. S] for the case 
X = l/\/2- The resulting protocol satisfies = x and = achieving the tradeoff curve 
P*P* = 1/2 from |SR02bj . 

From the point of view of point games, the clever step above is the initial split which was chosen 
so that, after the first merge, the remaining points would be vertically aligned and a second merge 
could immediately take place. The initial split corresponds to the cheat detection carried out at 
the end of the protocol. 

Another interpretation of the compromises made in the above protocol can be understood as 
follows: We know that in each move the average value of x and y cannot decrease because f{z) = z 
is operator monotone (and f{x,y) = x + y is bi-operator monotone). A perfect zero-bias protocol 
would never increase these averages. In a non-perfect protocol every such increase gets added to 
the final bias. In particular, the above protocol has two such "bad" steps: the split (which increases 
average x) and the raise (which increases average y). The protocol with P^ = Pg = l/\/2 balances 
these two effects so that they are equal. 
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1 + V2 



Figure 4: The Spekkens and Rudolph protocol with x = l/\/2. 



3.2.2 Quantum public-coin protocols 

The Spekkens and Rudolph protocol can be improved by using the TDPG depicted by Fig. [5] (left). 
The idea is that we begin by splitting the initial point on the vertical axis and use the resulting 
top point to help raise the rightmost point. The operation on the rightmost line becomes a point 
merging which preserves average y instead of the old point raising which increased average y. The 
cost of doing this, though, is the split on the vertical axis (which increases average y) and the 
point raising of the top point (which increases average x). Nevertheless, when the parameters 
(probabilities and coordinates) are chosen properly the above pattern results in a improvement. 

Closer inspection shows that the added structure of the above protocol relative to the Spekkens 
and Rudolph protocol is very similar to the added structure of the Spekkens and Rudolph relative 
to the trivial protocol where Bob announces the coin outcome. In fact, the process can be iterated 
as depicted in Fig. [5] (right). The process begins by splitting the two initial points into many 
points on the axes. Then point raising is used on the rightmost point so that it is aligned with 
the topmost point. The two points are merged and the resulting point ends up lined up with the 
second-rightmost point. These two are again merged producing a point that is lined up with the 
second-topmost point. All point are merged in this fashion until a single point remains. 

Obviously, the initial splits must be chosen with care so that all the merges end up properly 
lined up. We will not describe here the precise parameters needed to achieve this, though the details 
can be found in [MocOSj . In fact, the paper describes an even larger family of coin-flipping protocols 
which consisted of classical public-coin protocol with quantum cheat detection. In the language 
of TDPGs all the protocols in the family can be characterized as follows: First the point Pb[1)0] 
splits horizontally into as many points as needed. Similarly the point Pa[0, 1] splits vertically as 
needed. These steps are the cheat detection. After that only point raising and merging are allowed, 
though in any order or pattern desired. Sadly, the optimal bias that can be achieved with protocols 
of this form is 1/6, and is realized by the pattern from Fig. [5] (right) in the limit of an arbitrarily 
large number of merges. 

An improved version of the above protocol is presented in Appendix [Aj where we effectively 
note that the initial splits can be done gradually as the protocol progresses (or equivalently, that 
cheat-detection can be done gradually). The advantage of this is a reduction in the number of 
required qubits to a constant number. The bias, though, remains fixed at 1/6. 
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Figure 5: An improvement to the Spekkens and Rudolph protocol (left) and further iterations of 
the improvement (right). Figures not to scale. 



Below we intend to give an informal description of the bias 1/6 protocol in the limit of infinitely 
many messages, in which our standard "finite points with probability" TDPGs get replaced by 
probability densities. Though we will not formalize these TDPGs with probability densities, they 
are occasionally useful in studying protocols. In fact, the main result of the paper will have this 
form, though in the formal proof we shall approximate the continuous distribution by a discrete 
finite set. 

Let us imagine that we have carried out the initial point-splitting, and that we have split into 
so many points that we effectively have a continuous probability density on the axes: 

POO -j^ POO 

- J ^ p{z)[z,0]dz + - j ^ p{z)[Q,z\dz, (91) 

where p{z) is some probability distribution with p{z)dz = 1, and z* > is some cutoff below 
which no points are located. 

The continuum limit of the process depicted in Fig. [5] (right) consists of a point moving along 
the diagonal and collecting the probability density off of the axes. The point starts at [cxd, oo] with 
zero probability and ends at [z* , z*] once it has collected all the probability. What we are trying to 
determine is for what probability distributions p{z) is such as thing possible. In other words, for 
what probability distributions p{z) is 

1 POO 1 POO 

-J ^ piz)[z,0]dz + -J ^ piz)[0,z]dz ^ l[z*,z*] (92) 

transitively valid? 

Let Q{z) be the probability of the point that is traveling down the diagonal. Given the point 
(5(2;)[z,2:] we can move downwards and rightwards in a two step process: first we merge with a 
"point" on the x-axis (with effective probability ^^dz) to get to {Q{z) + p{z)/2dz)[z, z — dz], 
then we merge with a "point" on the y-axis (again with effective probability ^^^dz) to get to 
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{Q{z) +p{z)dz)[z — dz,z — dz]. Conservation of probability tells us that Q{z — dz) = Q{z) +p{z)dz 
or 



= 

But these transitions are point merges and should additionally conserve average height during the 
first merge (and average x position during the second merge). In particular, we get a constraint 
of the form (Q{z))z + {^^dz)0 = {Q{z) + ^^dz){z — dz). Canceling a few terms we get = 
—Q{z)dz + ^^zdz or 

Q{z) = (94) 



Combining the two constraints we get a differential equation in Q{z) 

dQjz) _ 2Q{z) 
dz z 



(95) 



solved by Q{z) = cjz^ for some constant c. Our original probability distribution must have the 
form p(z) = 2c/ z^, and we can now fix the constant by the requirement p{z)dz = 1. We get 
c={z*)'. 

What our arguments above have shown is that for any z* > the transition 



1 r 

2^ 



^ ^ 'z,0]dz + - -^^[0,z]dz ^ l[z*,z*] (96) 



z 



3 2.4. ,3 



is transitively valid. 

But, of course, the true starting state is ^[1,0] + ^[0, 1]. To reach the initial state above we 
must use point splitting independently on each axis. The constraints are conservation of probability 
(already imposed) and a non-increasing average 1/z: 

In other words, we can achieve bias 1/6 but no better. 



3.2.3 Protocols with cheat detection 

As mentioned in the introduction, even bit commitment can be accomplished using quantum in- 
formation if we are willing to settle for a cheat-detecting solution. These protocols with cheat 
detection may prove to be an important component of quantum cryptography. 

As an example of how Kitaev's formalism can be extended to study cheat-detecting protocols 
we will describe in this section a simple generalization of the above protocol. 

One approach to cheat detection is as a payoff maximization problem. Specifically, in coin 
flipping we would formulate the problem as follows: winning the coin flip earns you $1, loosing the 
coin flip nets you $0, but if you get caught cheating you will lose $A (i.e., the cheating player wins 
— $A and we assume A > 0). Calculating the maximum expected earnings for each A is equivalent 
to finding the tradeoff curve between the probability of winning by cheating and the probability of 
getting caught cheating. 
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As most of our equations so far have been designed for positive semidefinite matrices, it is 
simplest to begin by modifying our payouts so that they are all non negative: $(A+ 1) for winning, 
$A for losing, and $0 for getting caught cheating. These two formulations are equivalent in that an 
optimal payout for one can be found from the optimal payout for the other by adding/subtracting 
A. 

Accommodating multiple payouts only requires modifying the final projection operators. For 
instance, Za^u = ^A,i (which could be though of as a payout matrix for the non-cheat detecting 
problem), now needs to be replaced with a matrix with three eigenvalues: A + 1, A and so that 
the honest states in which Bob wins have the appropriate eigenvalue 

ZA,n (nA.llV'A.n)) = (A + 1) {UA,l\^A,n)) , Z A,n {^aMa^u)) = A (n^.ol^A.n)) , (98) 

and the orthogonal subspace has eigenvalue zero. In particular, everything we have done so far is 
still valid, but the transition of interest becomes 

i[A + l,A] + i[A,A + l] ^ ![/?,«], (99) 

where now /3 and a are upper bounds on the expected payouts of Bob and Alice respectively. 

What would happen if we were now to shift back to the original payouts of $1, $0 and $— A? 
We would again return to looking for transitions of the form ^[1,0] + ^[0,1] a], however 

our constraints for valid transitions would need to change. Rather than looking for transitions that 
live in the dual to the cone of operator monotone functions with domain [0, oo) we would look for 
transitions in the dual to the cone of operator monotone functions with domain [—A, oo). 

In other words, in a setting with a penalty of A for cheating, a transition pi^z) — > piJ^xi^z) is 
valid if and only if probability is conserved and 

<yvi^x{z)-— (100) 



for A G (A, oo). The old rule is simply the special case A = 0. 

Note that for A > we are simply removing restrictions from valid transitions. Therefore, not 
surprisingly, any protocol that was valid with no cheat detection is still valid in a cheat detecting 
world. However, one can often do better in the latter case. 

Returning to the coin-flipping protocol we described in the previous section, Eq. (j96p is still 
valid and essentially optimal. However, the constraint imposed by Eq. (j97p is no longer necessary. 
It is not hard to check that in a cheat detecting setting, the dominant function that constrains 
point splitting is f{z) = -^-^ (or /(z) = —-^^ which is equivalent when probability is conserved). 
Eq. ([^7|) gets replaced by 

1 f°° p(z) f°° 2(z*)2 fK-2z* 2iz*f z* + K\ , , 

<-/ f^dz = - ^, dz = -{ — ^ + A^iog— — . (101) 



A + 1- J,, K + z J,, z3(A + z) V A2 A3 ^ z 

Asymptotically, as A ^ oo, one finds an optimal expected winnings of z* ~ ^ + 



4 Kitaev's second coin-flipping formalism (cont.) 

In this section we shall conclude the description, that begun in Section [21 of Kitaev's second coin- 
flipping formalism [Kit04j . The last step is the transition from points games that are ordered in 
time to point games with no explicit time ordering. 
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4.1 Time Independent Point Games 



The new ingredient for this section is catalyst states. Given a transitively valid transition such as 
Pb[1, 0] + Pa[0, 1] l[/3, a] it trivially follows that 

Pb[1, 0] + Pa[0, 1]+Y1 Vi] ^ a] + 1^ Wi[xi,yi] (102) 

i i 

is also transitively valid, for any "catalyst" state j i [xj , y^] with Wi,Xi,yi > 0. The question we 
consider here is whether the converse is true. 

For one-vaxiable transitions the converse is trivially true. The goal of this section is to prove 
that the converse is also true for bipartite transitions (including transitively valid transitions). The 
proof will basically show that we can use a small amount of probability to create the catalyst state, 
and then run the catalyzed transition in small enough steps so that by comparison the catalyst 
state appears large enough. 

Before diving into the proof let us examine some of the surprising consequences that will follow. 
The first consequence is that previously all our probability distributions had a range contained in 
[0, oo), but now we can allow "probability" distributions with a range of (—00,00). Negative values 
are simply points were we need to add in some more probability using a catalyst state. This leads 
to the following definition 

Definition 21. A function with finite support p : [0, 00) — ^ M «s valid if YlzPi'^) ~ ^ ^'"'^ 
{f^)piz)>Ofor aUX>0. 

The definition implies p is in the dual to the cone of operator monotone functions. Note that 
because = A — ^j^, and because of conservation of probability, checking Y2z (l^) — *-* 

for all A > is equivalent to checking Ez (l^) ^'('^) — ^ A > 0. The latter condition will 

be easier to analyze in later sections, though. 

The validity relation is essentially a partial order on functions. Instead of saying p ^ q is valid 
wc could equally write p ~< q. Similarly, a valid function p could be written as -< p. We use the 
earlier notation because it is easier to say "a function p is valid" than "a function p belongs to the 
cone dual to the operator monotone functions." 

By construction any valid transition p ^ q can be converted into the valid function q — p. We 
therefore immediately obtain a number of standard valid functions (which follow from the proofs 
in the previous section): 

Lemma 22. The following are valid functions: 
• Point raising 

- p[z] + p[z'] (for z < z'). (103) 



• Point merging 



■pi[zi\ -P2[z2] + {P1+P2) 



Pizi + P2Z2 

Pi +P2 



(104) 
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• Point splitting 



- {P1+P2) 



P1+P2 



1 



1 



(105) 



piw'i + P2W2 



+ Pi 




+ P2 




The second, and more surprising, consequence of catalyst states is that all point games can be 
run using exactly two transitions: one vertical and one horizontal. The idea is that given any point 
game we can move all the horizontal transitions to the beginning and all the vertical transitions to 
the end, combining each set into a single vertical or horizontal transition. Of course, the state after 
the first transition but before the second may have some negative probabilities, but as discussed 
above this can be fixed with an appropriate catalyst state. This leads to the following definition: 

Definition 23. A function with finite support p : [0, 00) x [0, 00) -^M. is valid if either 

• for every c G [0, 00) the function p{z, c) is valid, or 

• for every c G [0, 00) the function p{c, z) is valid. 

where as before p(z, c) is the one-variable function obtained by fixing the second input. We call the 
first case a valid horizontal function and the second case a valid vertical functions. 

Of course, we don't even need to specify whether the horizontal or the vertical transition 
occurred first, and therefore we obtain a fully time independent point game: 

Definition 24. A time independent point game (TIPG) consists of a pair of functions with 
finite support h, v : [0, 00) x [0, 00) — > M such that 

• h is a valid horizontal function. 

• V is a valid vertical function. 



We say that [/?, a] is the final point of the TIPG. 
4.1.1 Relating TDPGs and TIPGs 

Given a TDPG specified as po) ■ ■ ■ ,Pn with final point [l3,a] we shall construct a TIPG with the 
same final point. Let H (resp V) be the set of indices l,...,n such that Pi-i Pi is a valid 
horizontal (resp. vertical) transition. Define 



• h + v = l[P,a]-PB[l,0]-PA[0,l]. 





(106) 



ieH 



iev 



then ^ is a valid horizontal function, v is a valid vertical function and 



h + v=Pn-po = l[P,a]- Pb[1, 0] - Pa[0, 1] 



(107) 



as required. 
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To go the other way we begin with a TIPG specified by h,v with final point a]. We define 
v~{x, y) = — m.m{v{x, y), 0) > as the magnitude of the negative part of v. Then consider 

Pb[1,0]+Pa[0,1]+v~ ^ Pb[1,0]+Pa[0,1]+v~ +v (108) 

^ Pb[1,0]+Pa[0,1]+v~ +v + h = l[P,a]+v-. 

The first is a vahd vertical transition and the second is a valid horizontal transition. Also, the 
intermediate state is non-negative with finite support. Therefore, it is a proof that Pb[1,0] + 
Pa[0, 1] + v~ — > l[/3, a] + v~ is transitively valid. Below we will show that we can get rid of the 
catalyst v~ and construct for every e > a sequence such that Pb[1, 0] + Pa[0, 1] 1[/? + e, a + e] 
is transitively valid. This is the desired TDPG. 

What remains to be proven is that we can discard catalyst states. We will only prove this for 
the special case of coin flipping, though the general case is also true. We first require two simple 
lemmas. The first lemma shows we can construct arbitrary catalyst states (as long as we allow 
extra junk) and the second lemma shows we can clean up the catalyst states (and extra junk). 

Lemma 25. Given a function r : [0, oo) x [0, oo) — >■ [0, oo) with finite support such that r(0, 0) = 0, 
there exists c > and a function r' : [0, oo) x [0, oo) — ^ [0, oo) with finite support such that 

cPb [1,0]+ cPa [0, 1] ^ r + r' (109) 

is transitively valid, where we additionally assume both Pa,Pb > 0. 

Proof. First we prove the lemma for the special case when r has support at a single point. Let 
r = q[x, y] with q,x > and y > (the case y > and x > will follow by exchanging the axes). 
If a; > 1 then 

■^Pb[1,0] + -^PaIOA] ^ q[x,y] + ;^^a[0,1] (110) 

is transitively valid using point raisings, and the lemma is satisfied with c = ^ and r' = ^^[0, 1]. 
If X < 1 the sequence 

Pb[1, 0] + Pa[0, 1] ^ Pb[1, y] + Pa[0, 1] ^ |Pb[x, y] + (l- |) Pb[2 -x,y] + Pa[0, 1] (111) 

is transitively valid by point raising followed by point splitting. Now we use the fact that we can 
scale the probability in transitions. That is, if Xli ~^ ''^'jWjjy'j] transitively valid 

then for a > so is awi[xi, yi] Ylj <^u)'j[x'jiyj]- I^i particular, if we scale the previous transition 
by c = 2q/ (xPb) we satisfy the lemma with r' = c(l — x/2)Pb[2 — x,y] + cPa[0, 1]- 

Finally, for the general case where r = Yli=i Qii^i^yi] l^t q and be chosen as above so that 
c^Psfl, 0] + CiPA[0, 1] — qi[xi, yi] + is transitively valid. Then 

k k k k 

^CiPB[l,0]+^CiPA[0,l] ^ 5I^^^^[l'0]+I]ciPA[0,l]+gi[xi,yi]+ri 

i=l i=l i=2 1=2 

k k j-1 j-1 

^ ^J2 ciPB[l,0]+J2 ^-^^[0' 1] + I] Qil^i, Vi] 

i=j i=j i=l i=l 

k 

^ ...^r + J2r'i, (112) 

i=l 
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where by construction each transition is transitively vahd and so the proof is completed by setting 
c = YliCi and r' = ^^r[. □ 

Lemma 26. Given e > and a function r" [0, oo) x [0, oo) [0, cxd) with finite support and 
J2x y y) = 1; there exists 1 > 5 > such that 

{1- 5)[l3,a]+5r" ^l[l3 + e,a + e] (113) 

is transitively valid. 

Proof. Let x" be the largest x-coordinate over all points in r" and similarly let y" be the largest 
y-coordinate over all points in r" . By point raising r l[x" ,y"] is transitively valid, so we focus 
on proving that we can find 1 > 5 > such that 

{l-5)[(3,a]+5[x\y"] ^ l[/3 + e,a + e] (114) 

is transitively valid. We can also assume (possibly using further point raisings) that x" > /3 + e 
and y" > a + e. Consider the following sequence 

{l-5)[^,a]+5[x\y"] ^ (i - 5')[p,a] + {5' - 5)[f3,y"] + 5[x\y"] 

^ (l-5')[/3 + e,«]+'^'[/3 + e,y"] 

^ l[/5 + e,a + e] (115) 

corresponding to raise, merge, merge. To make the first merge valid we need {8' —5)(3+6x" = 6'{l3+e) 
which is equivalent to 6{x" — (3) = 6'e. The second merge requires 5'{y" — a) = e. Both conditions 
can be satisfied by constants such that \ > 5' > 6 > Q. □ 

Putting the lemmas together we can prove the main result. 
Lemma 27. Given r : [0, oo) x [0, cxd) [0,oo) with finite support such that r(0,0) = and 

Pb[1,0] +Pa[0,1] +r ^ l[/3,a] +r (116) 
is transitively valid then for every e > 

Pb[1,0] +P4[0,1] ^ l[/3 + e,a + e] (117) 

is transitively valid as well. 

Proof. Fix e > 0. Note that by conservation of probability we must have Pa + Pb = 1- We also 
assume Pa,Pb > as otherwise the proof is trivial. Therefore, we can use Lemma [25] to get c > 
and r' so that ci-*B[l, 0] + cPa[^, 1] ^ r + r' is transitively valid. 

If we set r" = (l/c)(r + r') than again by conservation of probability we must have Y2xy^" ~ ^■ 
We can therefore use Lemma [26] to get 1 > (5 > so that (1 — (5)[/?,a] + 5r" ^ 1[/? + e,ae] is 
transitively valid. Now consider the sequence 

Pb[1,0]+Pa[0,1] ^ {l-6)PB[l,0] + {l-d)PA[0,l]+^r + +^r' 

^ (l-6)[f3,a] + -r + +-r' 
c c 

^ l[/5 + e,a + e]. (118) 
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The first transition follows from a scaled version of the transition obtained from Lemma [25l and the 
third transition is the one obtained from Lemma [26l The middle transition follows from repeated 
applications of aPeil; 0] + aPA[0, l]+ar — > a[(3, a] + ar for a < 5/c. Therefore the whole transition 
is transitively valid as required. □ 

Prom the conditions of validity, it is easy to verify that neither h nor v can be positive at the 
point (0,0). Since their sum must be zero at this point, individually they must be zero as well. 
Hence, our catalyst state is zero at (0, 0) and we can apply the above lemma to complete our 
argument for the equivalence of TDPGs and TIPGs. We can state the result formally as a further 
extension of Theorem [T9l 

Theorem 28. Let f{P, a) : M x M — > M 6e a function such that f{a',/3') > f{a, j3) whenever a' > a 
and (3' > (3, then 

ini f(P*B,PV)= inf /(/?,«)= inf /(/3,a)= inf /(/?,«). (119) 



5 Towards zero bias 

In this section we will finally describe a family of protocols for coin-flipping that achieves arbitrarily 
small bias. The protocols will be described in Kitaev's second formalism using the tools of the 
previous sections. 

In the first part of the section we will attempt to give some intuition for our construction. Along 
the way we will prove a couple of important lemmas. In Section 15.21 we will simply present the 
corresponding pair of functions h and v and prove that they satisfy the necessary properties. 

For those who have skipped ahead to this section, we review some of the key concepts that have 
been defined in previous sections: A valid function f{z) has finite support and satisfies f{z) = 
and jif^fi^) ^ foi' A > 0. These constraints are equivalent to those discussed in the 
introduction. Examples of valid functions are point raises, point merges and point splits as defined 
in Lemma [22j A valid horizontal function h{x, y) is valid as a function of x for every y > 0. 
Similarly, a valid vertical function v{x, y) is valid as a function of y for every x > 0. A TIPG is a 
valid horizontal function plus a valid vertical function such that h + v = 1 [/?, a] — Pb [1,0]— Pa [0, 1] , 
where [xq , yo] denotes a function that takes value one at x = , y = yo and is zero everywhere 
else. Such a TIPG leads to a coin-flipping protocol with < a and < (3. 

5.1 Guiding principles 

We begin our discussion with a TIPG example. We will analyze the TIPG with bias 1/6 first 
introduced in the introduction (Fig. [2|) and reproduced here in Fig. [6l The two figures are intended 
to denote the same TIPG, though the latter figure has a slightly different labeling convention. 

The new labeling convention provides some useful intuition for TIPGs: because of probability 
conservation, one can associate a probability with each arrow. The arrows carry the probability 
from their base to their head. The probability associated to a point can be computed as the sum 
of incoming probabilities, (which equals the sum of outgoing probabilities for all points except the 
initial and final points). Furthermore, the probability carried by arrows not associated with the 
initial or final points must go around in loops, such as boxes or figure eights. It is often easiest in 
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Figure 6: A TIPG with bias 1/6. 



a figure to label each loop with the probabihty that goes around it, and this is the idea behind the 
labeling of Fig. [6l 

We can also use our algebraic notation to express the TIPG. The horizontal arrows encode the 
function 
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2 2 
3' 3 



+ 1 



4 2 
3' 3 
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0,1 


+ 2 


3'' 


- 2 


3'' 


+ 1 


1' 



k=4: 



k-2 k 
3 '3 



+ 2 



k-l k 
3 '3 



k + 1 k' 
3 '3 



+ 1 



k + 2 k 
3 '3 



(120) 



The last line of h denotes a pattern that we shall call a ladder. More generally, we shall refer to 
any regular pattern that heads to infinity on the diagonal as a ladder. The problem with ladders 
is that they involve an infinite number of points, and we previously required that h have support 
only on a finite set of points. In Section [5T2] we will study how to properly truncate these ladders, 
but for the moment we shall ignore this issue. 

By symmetry we can define v{x,y) = h{y,x). By construction all terms in the sum h + v cancel 
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except for the three required 



h + v = 1 



"2 2" 

3' 3 



1,0 



0,1 



:i2ii 



Let us verify that /i is a vahd horizontal functions (which by symmetry proves that v is a vahd 
vertical function). It is easy to see that for every y we have Y2x ^i^^u) ~ 0- '^^^ other constraint 
that needs to be checked is j^^i^^ y) ^ for all A > and all y > 0. We begin with the case 
y = k/3> 4/3. 
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X+x \ ' 3 
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(A + ^)(A + ^) (A + ^)(A + W (A + W(A + ^) 



(A + ¥)(A + ¥)(A + ¥) 



mi) 



(A + ^)(A + ¥)(A + ^)(A + 



> 



(122) 



for A > 0, where the successive simplifications involves splitting the middle terms and using relations 
of the form 



1 



X2 - Xl 



A + xi A + X2 (A + xi)(A + a::2)' 



(123) 



The idea is that we can interpret successive lines as follows: The first line is the standard sum 
over points with a numerator corresponding to probabilities. The second line is a sum over arrows 
with a numerator corresponding to probabilities times distance traveled (which we can think of as 
momentum). Finally, the third line is a sum over pairs of arrows with zero net momentum. 

The constraint at y = 1 is roughly the same, except that the leftmost arrow travels twice the 
distance and carries half the probability. More specifically, we can write 
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The right term is exactly what would be there if the ladder had been extended to y = 1. It is 
valid by Eq. (I122p . The left term is the difference between the long arrow carrying probability 1/2 
and the short arrow carrying probability 1. It is valid because it is a point merge. Therefore, the 
original expression is a sum of two valid terms and itself is valid, as can also be checked by direct 
computation. 

The constraint for 2/ = | can also be directly checked, though in fact it is just a point splitting, 
and hence valid because |/1 = |/| + 1/|. 

Except for the fact that the ladder involves an infinite number of points, we have completed 
the proof that the resulting TIPG corresponds to a protocol with bias 1/6. The infinite number 
of points, though, is a serious problem from the point of view of our constructive description of 
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Kitaev's formalism: for instance, the canonical catalyst state used to convert the TIPG into a 
TDPG carries an infinite amount of probability. 

To proceed we therefore must truncate the ladder at some large distance F. The truncation will 
add small extra terms to the bias, which will go to zero as T — > oo. We can think of the different 
values for T as a family of protocols which converges to a bias of 1/6. 

While the formal truncation is done in Section 15.1.21 we will try to paint an intuitive picture 
here as to why truncation is possible. Let us imagine that we naively cut the ladder diagonally at 
some point in such a way that the end looks like the top of Fig. [6l The ladder is still valid (the top 
rung is just a point merge), however we are left with an excess of probability in the edges and a 
deficit of probability in the center. To correct the situation we need to add in a term of the form 
2[f , - ^] - which is a coin-flipping problem! 

Admittedly it is a coin-flipping problem with twice the probability and two thirds of the distance 
between points but that does not make much of a difference. The problem is located far away from 
the axes, though, so it really is a coin flipping with cheat detection problem as described by 
Section 13.2.31 Even better, the cheat detection is proportional to F which can be made arbitrarily 
large at no cost to us (us being the designers of the protocols, of course there is a practical cost 
involved in implementing protocols with large F). 

As the amount of cheat detection becomes infinite, the rules of point games become very simple: 
probability is conserved and average x and y cannot decrease. As the problem we are carrying off 
to infinity has zero net probability, and zero net average x and y, it should be resolvable at infinity. 
Sadly, even at infinity zero-bias coin flipping is impossible (only arbitrarily small bias is allowed) 
so after resolving the problem at infinity, we still need to bring back an error term down through 
the ladder. 

In practice, we still need to truncate the ladder at a finite distance, resolve the coin-flipping 
problem at that height, and carry the error terms back down through the ladder. There is a fairly 
automatic way of taking care of all of this, but it involves more complicated ladders. The next 
section will present the most important result used in building such complicated ladders. 

5.1.1 Obtaining non-negative numerators 

Whenever we want to verify that a function p{x) is valid, we need to examine expressions of the 
form 



where xi, . . . , Xn > are the finite support of p, and /(—A) is some polynomial whose coefficients 
depends on the non-zero values of p{x). The reasons for making / a function of —A rather than A 
will become clear below. 

The function p{x) is valid only if the above expression is non-negative for A > 0, which in turn 
is true if and only if /(—A) is non-negative for A > 0. The problem is that combining the terms to 
find /(—A) is often tedious, and verifying its non-negativity can be fairly difficult. 

On the other hand, constructing a non-negative polynomial is generally easy (for instance we 
can specify it as a product of its zeros). Therefore, it is often easier to start with /(—A), and 
use it to compute an appropriate distribution p{x) over some previously selected points xi, . . . , x„. 
That is the approach that we will be developing in this section. The next two lemmas will help us 
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prove that the desired expression is p{xi) = —f{xi)/Y\j^^{xj — Xi), which also satisfies probabihty 
conservation so long as /(—A) has degree no greater than n — 2. 



Lemma 29. Let n > 2 and xi, . . . , x„ G M be distinct. Then 

n n ^ 

1=1 j=i ■' 



(126) 



Proof. We proceed by induction. For n = 2 we trivially have 

0. 



1 1 

+ 



{X2 - Xi) {Xi - X2) 

For n > 2 we use the identities for 1 < z < n 
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and by induction both terms inside the parenthesis are zero. 
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□ 



Lemma 30. Let n>2 and Xi, . . . , x„ G M 6e distinct. Let f{x) be a polynomial of degree k < n—2. 
Then 



E 



/(Xi) 



0. 



(130) 



Proof. We proceed by induction on k. For k = the result follows from the previous lemma. If 
A; > we can write f{x) = cYl'^^^{xj — x) + g{x) for some scalar c G M and a polynomial g{x) of 
degree less than k. Then 
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n n ^ IV 



1 njyi(^j ~ 



i=fe+l j=fe+l 



and both terms are zero by induction. 
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□ 



Lemma 31. Let Xi, . . . ,Xn be distinct non-negative numbers and let /(—A) be a polynomial in A 
of degree k < n — 2 which is non-negative for A > 0. Then 



p = E 



-fixi 



(132) 



is a valid function. 
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Proof. Using the previous lemma with an appended point Xn+\ = 



—A, we get 



i=l 



-1 



f{Xi 



+ 



/(-A) 



= 



(133) 



which proves the constraints for A > 0. In fact, the above relation holds so long as / has degree 
k < (n + 1) — 2. However, we must reduce the allowed degree by one more to get probability 
conservation 



^p{xi) = lim ^ 



A 



-f{xi 



lim 



-A/(-A) 

"ti^+^i yUjjLiixj - J x^^^ ni(A + Xi) 

which converges to zero if the degree is fc < n — 2. 



(134) 
□ 



5.1.2 Truncating the ladder 

A single rung of our ladder has the form 

'k-1 k 
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Following the discussion in the last section we want to set 
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The ladder for the bias 1/6 protocol can be described this way with /(—A) = 4/9, which is clearly 
positive for A > 0. But, of course, we can allow / to be other quadratic functions. More importantly, 
we can allow different quadratic functions at different heights of the ladder. That would lead to a 
function f{x,y) with the constraint that for every y (on which the ladder is non-zero) /(— A, y) is 
a quadratic polynomial in A that is non-negative for A > 0. 

But there is a catch. We want to keep the symmetry of the problem so that we can choose 
v{x,y) = h{y,x) and still get h + v to cancel on the ladder. In other words, we want to ensure 
h{x,y) = —h{y,x). This leads to the conditions 
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which are both satisfied if we enforce f{x,y) = f{y,x). 

Now we can choose our function / to stop the ladder at a certain height y = r/3 by setting 



f{x,y) = C 



r + 1 



r + 2 
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r + 2 
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for some large integer F and positive constant C to be determined below. The ladder part of h 
becomes 



hlad 
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We have stopped the ladder sum at height A/3. Of course, we could also have simply stopped the 
original ladder with / = 4/9 at a particular height, but we would have lost the antisymmetry of h. 
The fact that /(^^, ^) = /(^^, ^) = /(^^, ^-j^) = are all zero ensures that we can stop the 
above pattern and still retain h{x,y) = —h{y,x). 

The next step is to verify that hiad is horizontally valid, but that follows from the fact that 
f{—X,y) > for A > and y < r/3, and that it is quadratic in A. 

Finally, let us examine the bottom of the ladder. If F is very large, and x and y are small 
compared to F, then / ~ CF^/3^. If we further choose C ~ 36/F^ we end up approximating the 
original constant / = 4/9 ladder. 

The rest of this section will work out the details of merging this truncated ladder with the 
structure that needs to lie at the bottom. The discussion contains no critical new ideas and can be 
skipped on a first reading. 

Putting everything together we end up with a structure of the form 
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4 2 
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for some small (5 > to be determined in a moment. 

Note that hiad runs up to y = 1, which produces a point atx = l/3, ?/ = l. We must exactly 
cancel the amplitude in this point with the term on the second line of h. We therefore choose 
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F + 1 
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so that hiad{\i 1) = —1- Note that this C has the right behavior as F — > oo. The validity of h at 
y = 1 then follows because it is a sum of two valid terms (one coming from hiad)-, just as it was in 
the original ladder in Eq. (I124p . 

The difficult line is y = 2/3 where we have coefficients that are constrained by the symmetry 
h{x,y) = —h{y,x). The coefficients are 
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Figure 7: A few simple ladder protocols: Symmetric (left) and asymmetric (right), with initial 
point split (bottom) and without (top). 



Conservation of probability follows trivially, and the line will be valid if it satisfies the point splitting 
constraint "^Pi/xi = 



3 1 2^^"^^ 3/r-3 

2(2 + (5) ^ 2 ~ Vr + ly ^ 4 Vr + 1 
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which implicitly defines 5 = 8/(3r — 1). 

Finally, without the last line we would have a protocol of the form 
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The last line uses point raising to merge the two final points at [^^, ^-^], giving us a protocol with 



p* p* 

— 



^ where <5 ^ as F 



oo. 



5.1.3 Building better ladders 

Having completed our analysis of the original bias 1/6 ladder, our task now is to apply the knowledge 
gained to the building of better ladders. 

We begin by studying a few simple variants of the 1/6 ladder which are depicted in Fig. [71 
Whereas the ladders discussed thus far have been symmetric (by reflection across the diagonal). 
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all the TDPGs discussed in Section [3] were asymmetric. Because the space of TIPGs is a cone, an 
asymmetric TIPG can always be made symmetric by taking a combination of itself and its reflection. 
The advantage of working with symmetric TIPGs is that the validity of h implies the validity of v 
so there are less constraints to check. The disadvantage is that the expressions are generally more 
complicated (as we shall see below). Nevertheless, in this paper we will use symmetric ladders to 
express the main result and only study asymmetric ladders for comparison. 

There is also the possibility of starting the ladders with a point split on the axes. Numerical 
optimizations of the ladders depicted in Fig. [7] using a variable ladder spacing indicate that the 
optimal TIPGs with no initial point split can achieve = ~ 0.64 whereas those with an initial 
point split can achieve P\ = Pg ~ 0.57. From this perspective, constructing TIPGs with an initial 
point split may be better. On the other hand, TIPGs with no initial split tend to have simpler 
analytical expressions. 

Unfortunately, one can also analytically prove that none of the forms depicted in Fig. [7] can 
achieve arbitrarily small bias. We will not cover the proof here and instead directly proceed to 
studying more complicated ladders that have more than four points across a horizontal section. 

A horizontal rung of an asymmetric ladder with 2k points across and constant lattice spacing 
e has the form 
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A symmetric ladder is similar, except that the center point is always missing. Therefore a rung 
with 2k points can be written as 
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A complete symmetric ladder has the form 
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The ladder has been truncated at y/e = F which can be done if we pick 

fix, y) = g{x, y) (Fe + ie - x)^ [\{ (Fe + ie- y)^ (150) 

and then we are still free to choose a symmetric polynomial g(x, y) = g{y, x) so long as g{—\, y) is 
non-negative for A > and y > 0, and has degree at most A; — 2 in A. 

Because we only have k — 2 zeros to play with in g we can't fully truncate the bottom of the 
ladder as we did the top. But that is not a problem. After all, our goal is to attach the bottom of 
the ladder to our coin-flipping problem. 

It is still useful to truncate as much of the bottom of the ladder as we can in order to have fewer 
points to deal with at the bottom. We can partially truncate at some height y = joe by setting 

/fc-2 \ /fc-2 \ 



gix,y)=C{-l)'[l[{joe 



le 




le 



y) 



(151) 
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Figure 8: A ladder with 2k = 8 points across terminated at top and partially terminated at bottom 
(with an added point split). The dashed lines indicate the zeros ol f{x,y). 



The overall sign is chosen so that g{—X, y) is positive for A > and jge < y < Fe. 

With this truncation hiad has exactly three points to the left of the of the first truncation band 
(jQ — ^+2)e <x< (jQ — l)e. The three points are located at [(jq — /c+l)e, (jo + l)e], [(jq — fc + l)e, joe] 
and [(jo — A;)e, joe]. If we add in an extra point split at y = jo — A; + 1, and use v{x, y) = h{y, x) we 
end up with the situation depicted in Fig. [H) 

With some further tuning we can end up with 

h + v = -\[l,Q]-\[Q,l] + \[l- e", e'] + i[e', 1 - e"] (152) 

for some < e" < e', which is effectively a step along the diagonal connecting [1, 0] and [0, 1] towards 
the center [|, |]. The slope e'/e" of the step should converge to one as A; — > oo, and therefore one 
can use a sequence of such steps to merge the two points in the center and obtain a coin-flipping 
protocol with arbitrarily small bias. We shall not explore this construction further, though, and 
instead will focus our efforts on a procedure that works is a single big step. 
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5.1.4 Mixing ladders with points on the axes 



In this section we will present a family of protocols that converges to zero bias. The corresponding 
TIPGs will mix ladders with probability located on the axes. These TIPGs will be generalizations 
of the protocol from Section 13.2.21 which is the simplest example of the constructions used in this 
section. The discussion in this section will be informal and the formal proofs will be deferred to 
the next section. 

The complete protocol can be thought of as a three step process 

i[l,0] + i[0,l] P{je)[je,0]] +M p{je)[0,je]\ (153) 

\j=z*/e j \j=z*le ) 

- i[z*,z*-A;e] + i[z*-fce,z*]-l[z*,z1 

and depends on the usual parameters: integer A; > 1, small e > 0, large integer F > and a final 
point 1/2 < z* < 1. It also involves a function p(z) to be chosen below. There are a few obvious 
constraints such as A:e < z* and z* je £ Z which will all be resolved in the limits e — > and F ^ oo 
for fixed k. Our goal will be to prove that the above process is valid for some z* , and then to find 
the minimum valid = = z* for a given k. 

The first transition of the above process is intended to be a series of point splits along the axes, 
the second transition is the difficult step involving ladders, and the third transition is trivially valid 
by point-raising. The first transition is also valid given the following simple constraints 

r r 

j=z*/e j=z''/e 

which correspond to probability conservation and the point-splitting constraint (i.e., non-increasing 
average 1/z). Note that, as opposed to Section [3.2.21 we are using here a discrete function p{z) 
with finite support. 

The second transition is the interesting step and will consist of a process involving a ladder that 
slowly collects the amplitude on the axes and deposits it near x = z* and y = z* . The complete 
transition will be described as usual by a valid horizontal function h{x, y) and a valid vertical 
function v{x,y) = h{y,x) such that 



h + v 



-\ { E Pij')[i^^A -\\Y1 ^^(ie)[0'j'e] I +\[z\z*-ke] + \[z*-ke,z*]. (155) 



The new element is that when constructing the coefficients — f {xi,y'i) / Wj^j^ixj — Xi) for the 
ladder, one of the coordinates that appears in the product in the denominator is Xj = 0. Why 
is this different? So far we have exploited the fact that the product of distances for a point was 
the same (up to sign) whether we computed its vertical or horizontal neighbors. But now the 
expression includes an extra factor of (0 — Xj) or (0 — T/j), which means the two computations will 
be different. In other words, using a symmetric f{x,y) = f{y,x) will not yield an antisymmetric 
h{x, y) = —h{y, x). The solution is to pull out an extra factor of 1/y out of f{x, y), which will once 
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again allow us to use symmetric functions f{x,y), and will not affect the computation of horizontal 
validity (since 1/y is positive and order zero as a polynomial in x). We therefore set 



j=z*/e 



\ 



E 7-TTT 



i=—k 



fiU + i)e,je) 

{Xl - Xi) 



(156) 



where Yl^if^Xii^^ ~ ^^^^^ includes a factor of (0 — Xi) = — (j + i)e. 

In order to use Lemma [311 though, we must write the coefficient of [0, je] is the standard form, 
which imposes relation between p{z) and f{x, y) 



fiOJe) 



fiO,je) 



(je)n.,^0(^^-0) £2/0+1 



(157) 



We now pick / as usual to fully truncate the ladder at the top and to truncate as much as possible 
of the ladder at the bottom 



f{x,y) 



C{-1 



,fc-i 



n 

\i=i 

/ k 



/k-l 



ie-x)] [Y[i 



z — le 



y) 



(158) 



/ k 



le — X] 



\l{Te + ie-y)]. 



\i=l 



We have the usual symmetry properties f{x,y) = f{y,x). Furthermore, f{—\,y) is positive for 
A > and z* < y < Te (provided e is small enough so that ke < z*). Finally, /(— A,y) has degree 
2/c — 1 in A, which is allowed because we have 2/c + 1 points across, once we include the point on 
the axis. 

Because the truncation at the bottom of the ladder uses k — 1 zeros, h will only have a single 
point (excluding those on the axis) to the left of the first truncation band z* — {k — l)e < x < z* — e. 
The point will be located at [z* — ke,z*] and by probability conservation must have exactly the 
same amount of probability as was originally located on the axes. 

All that remains undone is to figure out what values of z* are allowed. For the moment we will 
only compute this in the limit of e — > and F — > oo in which 



f{0,z) = C'{ll{^ 



le — z) 



l[{Te + ie-z) -^C"{z-z*) 



(159) 



for some A:-dependent constants C and C" where we used (F — 2:)/F ^ 1. We then have 



p{z) 



2/(0, je) 



*\k-l 



c 



.{z-z*f 



z 



2fc + l 



(160) 



and the two constants z* and C'" are fixed by the constraints of Eq. (jl54p . now in integral form 

p(z 



p{z)dz, 



-dz, 



(161) 
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where we we have imposed equahty in the second constraint to obtain the smallest z* for a given k. 
Using w = z* / z, we can transform the following integral into a representation of the Beta function 
to get 

r ^^~p' dz = {z*y-^+^ C _ wydw = {z*y-^^^ B{e -3-1,3 + 1) 

Jz* ^ h 

_ ^ V{1 - 3 - l)r(j + 1)) _ {1-3- 2)!(j)! 

We then set our two constraint integrals equal to each other to cancel C" and solve for z* 

^ (2it)! " ^ (2fc + l)! ^ " ^-^^"^^ 

In other words, we have constructed a coin-flipping protocol with P\ = = (k + l)/{2k + 1). The 
construction is valid for all A; > 1. The next section will formalize the protocol. All the main ideas 
will be the same, though some of the functions will be redefined by constant factors. 



5.2 Formal proof 



Definition 32. Fix an integer k > 0, a small e > satisfying ke < 1/2, a large integer F > 4A; 

^2' 



and a parameter z* G (i, 1) such that z*/e is an integer. Let T = {k,e,T, z*} and define 



9r{z) 
pr{z) 



'k-i 

n 



z* — je 

k 



n 



(r + j)e-^ 
(r + j> 



j=-k 

k 

Dr{i) = e^'^-' n (^-^)' 
e=-k 

r 

2hr = -1[1,0]+Ct Y1 Pr{j^)[j^,0] 

j=z*/e 

-l[z* -ke,z*] + l[z*,z*] 



(164) 
(165) 
(166) 
(167) 

(168) 



+Cr 

j=z*/e 



i=—k 



(-l)V((j+i)6)ffT(ig) 

{je)i{j + i)e)Dr{i) 



\ 



[(i + Oe,je] 



and vr{x,y) = hr{y,x) 
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Lemma 33. Given T as in Definition[3R if 

1 > Ct y ^ (169) 

then /iT is a valid horizontal function and vj- is a valid vertical function. 

Proof. By symmetry, it suffices to prove that /it is a valid horizontal function. It is also sufficient 
to check the conditions independently on each of the three lines of Eq. ()168p . Given the constraint 
in the definition of the lemma, the first line is a valid point split and the second line is a valid point 
raise (see Lemma [22]) . 

Also Pv{z) > for z* /e < z <T so Ct > and it can be canceled as we focus on the term in 
parenthesis in the third line for each integer j G [z*/e,r]. If we define 

/.(X) = (-l)'-^gx(;^)gT(j^) (170) 
then we can write the line at y = je as 

where Xi £ {0} U {{j — k)e, . . . ,{j — l)e, {j + l)e, . . . , (j + k)e} and we used 5t(0) = 1 among other 
relations. 

Now we can apply Lemma[3T] which tells us that the above function is valid so long as fj{—X) is a 
polynomial in A of order no greater than 2k— 1 and positive for all A > 0. The first condition is trivial 
and the second follows because g-r{—\) > for A > and (— l)^~^(7T(ie) > for z* < je < Te. □ 

Lemma 34. Given T as in Definition\3^ we have 

hr + vr = -^[1, 0] - ^[0, 1] + l[z*,z*]. (172) 

Proof. The only nontrivial cancellation is on the points [z* — ke, z*] and [z* , z* — ke] which have by 
symmetry the same coefficient (with the same sign) . Because each line of hj; conserves probability, 
hr + vr must have a net zero probability, and so the coefficients of these points must also be 
zero. □ 

Corollary 35. Given T as in Definition\3^ if 

1 > Ct y ^ (173) 

]=z*/e 

then hy and vx is a TIPG with final point [z*, z*]. 

Lemma 36. Given T as in Definition s^ there exists a family of solutions to 

1 > Ct y ^ (174) 
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such that e — > 0, F ^ cxd and 

k + 1 



(175) 



2k + 1 

Proof. For a given e and F, the best z* is constrained by z*/e G Z and 

E PX(K) > E (170) 

J = 2*A j = Z*/t 

where we have expanded the definition of Cf- We then use 



..-fa; V-^=y > Pr(z) >[^—) (^—j (^—j (177) 

to note that if we choose z* in accordance with the strict inequahty 

^ V z* ) [je + ke J ^ ^ V 2* - ke ) [je - ke) ^^'^^^ 

then we can always find a large enough integer A so that the original inequality is satisfied (that 
is because the new right-hand side is greater than or equal to the original right-hand side, whereas 
the original left-hand side will converge as A — > oo to an expression greater than or equal to the 
new left-hand side). 

Similarly, if we choose z* in accordance with the strict inequality 

dz > / — — - dz (179) 



Z J \Z J J z* \ ^ J \^ , 

we can find an appropriate e > so that the original constraints are satisfied. The argument for 
solving the above inequality is the same as the one used for Eq. ()16ip through Eq. ()163p . The 
constraint becomes 

and therefore for any such z* we can find appropriate e and F that satisfy the original constraints. 

□ 

Corollary 37. For every integer k > there is a family of coin-flipping protocols that converges 
to 

Corollary 38. There exists protocols for quantum weak coin flipping with arbitrarily small bias. 
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6 Conclusions 



We have constructively proven the existence of protocols for quantum weak coin flipping with 
arbitrarily small bias. In the end, it appears that quantum information has fulfilled at least a small 
part of its promise in the area of two-party secure computation. 

We have also tried to provide a primer on how to use Kitaev's formalism to build interesting 
protocols. Hopefully the present result will be the first of many to be obtained by viewing quantum 
games as dual to the cone of bi-operator monotone functions. 

6.1 Open problems 

1. Improvements and extensions to the proof: 

(a) We did not explicitly complete the proof that if no coin-flipping protocols with arbitrarily 
small bias exists, then the bound can be proven using a bi-operator monotone function. 
Completing the proof would show that the cone of TIPGs and the cone of bi-operator 
monotone functions are dual. 

(b) We have only constructed protocols for the case Pa = Pb = 1/2. Protocols for other 
cases can be constructed using serial composition of this protocol. Nevertheless, it should 
also be straightforward to explicitly describe a TIPG for such cases. 

(c) The alternative construction from Section [5.1.31 needs to be fleshed out. It may lead to 
some elegant TIPGs. 

(d) Appendix O needs to be simplified/made more elegant. 

2. Improvements and extensions to the protocol: 

(a) Can we find a simple unitary description (such as the one in Appendix |A]) of a family of 
protocols that achieves arbitrarily small bias? 

(b) Can we optimize the resources (messages, storage qubits, complexity of unitaries?) 
needed to implement such a protocol. 

i. What are the asymptotic costs of achieving arbitrarily small bias? 

ii. What are the practical costs of achieving small bias? How hard would it be to make 
a protocol with bias 0.001? 

(c) What can be said about multiparty weak coin flipping? 

3. Beyond weak coin flipping 

(a) Weak coin flipping with arbitrarily small bias leads trivially to a new protocol for strong 
coin flipping with bias (arbitrarily close to) 1/4. Is this the best that can be done? 

(b) More generally, what is the optimal protocol for strong coin flipping with cheat detection? 
While the formalism in this paper can be adapted to strong coin flipping, it probably 
cannot be used unmodified. The difference is that in strong coin flipping we need to 
simultaneously bound four quantities (Alice and Bob's probabilities each of obtaining 
zero and one). Even classically one can construct protocols that achieve PaqP^o = 1/2 
(so long as one is willing to tolerate Pai = Pbi = 1)- 
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(c) Strong coin flipping with cheat detection can be used to bound bit commitment with 
cheat detection. Do they share an optimal protocol? Can it be used as a building block 
for all secure two-party computations with cheat detection? 

(d) Kitaev's first formalism can also be used in the study of specific oracle problems. In this 
context the second formalism could be used to study all oracles simultaneously, which 
may prove useful in identifying optimal oracles in some sense (for instance for proving 
separations between quantum and classical computation). 

(e) What else? 
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A Dip-Dip-Boom and the bias 1/6 protocol 



We present in this section a reformulation of the bias 1/6 protocol from |Moc05j . The new version 
of the protocol is simpler and uses measurements throughout the protocol in order to keep the total 
storage space small: one qutrit for each of the players and one qubit for sending messages. In fact, 
the message qubit can be discarded and reinitialized after each message, so that only the qutrits 
need to be kept coherent for the length of the protocol. 

The new protocol can be described as a quantum version of the ancient game of Dip-Dip-Boom, 
whose classical version is played as follows: two players sequentially say either "Dip" or "Boom". 
In the first case the game proceeds whereas in the second case the game immediately ends and the 
person who said "Boom" is declared the winner. There are no bonus points for longer games and 
a player can begin and immediately win a game by saying "Boom". Why this game is played at 
MIT, and how it was accepted as a major component of the author's doctoral thesis, are questions 
beyond the scope of this paper. 

What we shall do is build a coin- flipping protocol out of the above game. First, we introduce 
honest and cheating players. Honest players will have to output "Dip" vs "Boom" according to 
some previously fixed probability distribution, whereas cheating players are still free to say whatever 
they want at each round. A game is now specified by a set of numbers pi,p2,P3, ■ ■ ■ so that pi is 
the probability that the ith. word is "Boom". Note that pi,p3, . . . apply to the first player whom 
we call Alice and P2,Pa^ ■ ■ ■ apply to the second player whom we call Bob. For convenience we shall 
fix an n > 1 and assume that the game ends after n messages by setting pn = \. 

We now define the quantities -Pa(O) -Pb(^) ^'^^ Puij) which are respectively the probabilities that 
after i messages Alice has won the game. Bob has won the game, or the game remains undecided. 
These quantities can be inductively calculated by 

„ / X I PA{i — 1) for i even, 

pJi) = { ' ' 182) 

\PA{i-l)+PiPu{i-'\-) fori odd, 

p U\ ^ {PB{i-l)+PiPu{i-^) fori even, 

^^'^ \PB{i-l) fori odd, ^ ' 

Pu{i) = il-pi)Pu{i-l), (184) 

with initial conditions of Pu{0) = 1 and Pa{0) = Pb(0) = 0. 

The quantum version of the protocol is simply a coherent version of the above, with an additional 
cheat detection step. Alice and Bob will each hold a qutrit 

A = 13 = span{\ A), \B),\U)} (185) 

which encodes the state of the game: "Alice has won" , "Bob has won" and "undecided" respectively. 
The message space is just a qubit 

M = span{|DIP), |BOOM)} (186) 

comprising the two possible messages. 

Amplitude will be moved coherently using the unitary operator Rot defined by 

Rot{\a),\P),e) = {\a) I/?)) ^T^) ((J^j) + " H " I/?) (/^l) , (187) 
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which simply effectuates a rotation in the 1/3) plane. For instance, consider the classical step 
where Alice says "Boom" with probability p given that her state is \U). In the quantum protocol 
this is described by the rotation Rot(|i7) |DIP),|A) ® |BOOM),p). Assuming that previously 
1^) ® |BOOM) had zero amplitude, the operation will move into this state an amplitude of ^ 
times the prior amplitude oi\U) ® |DIP)- We are now ready to state the quantum protocol: 

Protocol 39 (Weak coin flipping with bias 1/6, simplified). 

Fix n > 1 and numbers pi, . . . € [0, 1]. Define A, B, M., PAii), Psii) and Pu{i) as above. The 
protocol has the following steps 

1. Initialization: Alice prepares \U)<^\DIP) inA<SiM- Bob prepares \U) inB. 

2. For i = 1 to n execute the following steps: 

(where we use X to denote the player that would choose the ith message in the classical 
protocol, and Y is the other player. That is X = A and Y = B if i is odd or X = B and 
Y = A if i is even). 

(a) X applies the operator 

R, = Rot {\U) ® \DIP), \X) \BOOM), pi) . (188) 

(b) X sends the qubit H]\j which is received by Y . 

(c) Y applies the operator 

Ri = Rot (\U) \BOOM), \X) \DIP), ^'^^^]~ • (189) 
V Px(i) J 

(d) Y measures the message qubit M in the computational basis. 
If the outcome is \BOOM) then Y aborts and outputs Y . 

3. Alice and Bob each measure their qutrit in the computational basis. If the outcome is U they 
declare themselves the winner, otherwise they output the measurement outcome as the winner. 

It is not hard to see that when both players are honest the state of the system at the end of the 
ith. iteration of Step [2] can be written as 

(VP4(i)|A) \A) + ^/PBii)\B) \B) + VPu{i}\U) \U)) |DIP). (190) 

To obtain a standard coin- flipping protocol we must therefore restrict the choices pi, . . . ,pn to 
values such that -Pa(?^) = Psii^) = 1/2- For simplicity, we will also assume that for i < n, the 
other probabilities pi are neither zero nor one. In particular, this requires the previously discussed 
condition pn = 1- 

Step I2dl is the new element of the quantum protocol, and serves as a cheat detecting step. 
Without this measurement the protocol is exactly equivalent to the original classical protocol. 

It is important to note that when both players are honest, neither will ever abort in Step I2d[ 
However, when one player is cheating then the honest player will abort at Step I2dl with some 
non-zero probability. Roughly speaking, the measurement compares the ratio of amplitude in 
"Boom" (tensored with \ U)) in the present message, to the total amplitude of "Boom" from previous 
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messages. The classical strategy of declaring with probability one "Boom" on the first message 
is thwarted because this ratio will effectively be zero for all subsequent messages. The optimal 
quantum cheating strategy involves a small amount of cheating on each message, but that gives an 
honest player an opportunity to declare victory too. 

In the next section we will sketch the computation of and for the above protocol and 
find that they match the expressions for the optimal protocols from |Moc05) . This is the first step 
in proving the equivalence of the two protocols. A complete proof of equivalence would take us too 
far afield, though one possible route follows from the discussion in Section I3.2.2[ 

In practice, the main difference between the protocols is that in the one presented above the 
cheat detection is done gradually as the protocol progresses rather than in one big measurement 
at the end. This simplifies the description of the protocol, and reduces the resources required for a 
physical implementation. Alas, it does not make it any more cheat resistant. In the limit n ^ oo 
and with suitably chosen values for pi, . . . ,pn (almost any choice so long as they go smoothly to 
zero as n — > oo) the above protocol achieves a bias of 1/6. 



Analysis 



In this section we will make use of Kitaev's first formalism to compute P^ (P^ can be obtained 
by a similar argument). In other words we will find a feasible point of the dual SDP. Of course, 
this only proves an upper bound on P^, but the resulting expressions are in fact optimal, and a 
matching lower bound can also be constructed. 

The final result for this section will be P^ as a function of the variables pi, . . . ,pn- We will not 
attempt to find the optimal values for these parameters as that task is already done in |Moc05j . 
We will also not attempt to describe the result as a TDPG, though this is a simple task using the 
dual feasible point constructed below. 

Henceforth we will consider the case of honest Alice and cheating Bob. The analysis will be 
done from the perspective of Alice's qubits which must satisfy the following SDP: 



Pi 

TrA4 [pi] 
Pi 



Ttm[Ri {\U){U\ |DIP)(DIP|) r\], 
Pi-i 



for i even, 
for i > 1 odd, 



Pi 



P, 




RnPnRn\ 



n odd, 



n even. 



(191) 
(192) 

(193) 

(194) 
(195) 



where pi is the state of Alice's qubits immediately after the ith message (i.e., after Step [2b]). The 
state Pi for even i is an operator on A® M and is unknown but constrained by pi-i. The state pi 
for odd i is an operator on A and can be computed from pi-i by applying the operators that Alice 
would use. 

Note that IIdip = I ® |DIP)(DIP| is a projector corresponding to a successful measurement in 
Step I2d[ The normalization of pi will therefore be the probability that Alice has not aborted yet. 
The final state pj on A will have a similar normalization and Pwin will be the probability that 
Alice outputs a victory for Bob. In particular, Bob's maximum probability of winning by cheating, 
P^, is given by the maximization of Pwin over positive semidefinite matrices satisfying the above 
constraints. 
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The dual to the above SDP can be written in the following form: 



|DIP)(DIP| 

Zi_i (g) Im 



< {U\Zo\U), 



> 
> 



nBipR] {Zi ^ Im) Ri'^Bip 
i?J(Z,0 |DIP)(DIP|)i?i 

\B){Bl 



for i odd, 
for i even, 



(196) 
(197) 
(198) 
(199) 



where the variables Zq, . . . , Zn are semidefinite operators on A. Any assignment of these variables 
consistent with the above constraints provides an upper bound on P|j. The infimum of {U\Zq\U) 
will in fact be equal to P^. 

Now comes the crucial bit of guesswork, where we choose a diagonalizing basis for the operators 
Zi. Because any assignment to Zo, Zn consistent with the constraints provides an upper bound 
on P^, choosing a bad basis will at worse give us a non-tight upper bound. Based on experience 
from past protocols, we choose to restrict ourselves to studying matrices that are diagonal in the 
computational basis, and we write 




(200) 



We can now express Eq. (jl97p as 
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valid for i odd. We can also write Eq. (I198P as 
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valid for i even, where we introduced pi = PiPu (^ — 1) /Pb (i) as a notation for the rotation parameter 



of Ri. The above inequality can be simplified to Oj 
2x2 matrix 



-1 > ai 



1 ^ Ui, plus the positivity of the 



bi-i - (1 -Pi) bi 
-\/Pi(l -Pi)bi 



-VPiU-pi)b, 
Ui-i -Pih 



> 



(203) 



which is satisfied if its determinant and its diagonal elements are non-negative. 

It is not hard to see that we can choose Oj = for all i. We are after all trying to minimize 
{U\Zq\U) = uq. We now get the relation Ui-i = (1 — Pi)ui for i odd, and we know that the best 
that we can hope for is Ui-i = Ui for i even. If this were true we would have 



Ui 



Uo 



' 1 



j odd 



Pi 



(204) 
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Let us be optimistic, and assume the above holds and then check whether the remaining constraints 
can be satisfied. Surprisingly, we shall find that the answer is yes. 

The intuition for the bi variables is that 6^ = 1 and bi increases as i decreases. In fact, the 
larger b^ is, the better the bound we will find, and the infimum is attained for bo = oo. With a 
little care, we can directly handle this infinity and get bi = bo = oo and 62 = ui/p2 which satisfies 
Eq. (12(13]) for i = 2. 

The remaining conditions for bi will no longer involve infinities and are obtained by minimizing 
the determinant Eq. ()203p . which leads to 

— = — — I — ; — — for i even, (205) 

bi Ui-i 

which also guarantees that the constraint on the diagonal elements of Eq. (j203p is satisfied. By 
induction we can write 

* j=2 ■> ^ k=j+2 j=2 J k=j+2 ' j=2 J ^ ' 

j even k even j even k even j even 

- E^i;^-^E«^o--i)na-po. (207) 

j=2 J ^ u £(v ; k=l 

J even j even A; odd 

where in the second equality we used Psik) —PkPuik — 1) = Psik — 1) for k even, and in the third 
equality we used Psik + 1)/Pb(^) = 1 for k even. 

What we have done is solve for all the dual variables in terms of uq- We have also satisfied all 
constraints except for those from Eq. (|199p . which tells to set 6„ = 1 and allows us to solve for uq 
to obtain our upper bound: 



0-1 



j=2 \k=l 
j even 



/ \ k=l 

\k odd 

where we used PB(n) = 1/2. 

The above expression is equivalent to the result found in |Moc05| . For a simple example, take 
the Spekkens and Rudolph [SR02bj protocol with = = l/\/2, which can be described in the 
above formalism by setting pi = 1 — l/\/2, p2 = l/\/2 and ^3 = 1. The above bound then becomes 
uq = 2^2(1 — Pi)"^ = l/\/2 as expected. 
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B Proof of strong duality 



We say strong duality holds when the maximum of the primal SDP and the infimum of the dual 
SDP are equal. Though strong duality does not hold in general, it does hold in most cases. A 
number of lemmas which provide sufficient conditions for strong duality can be found in convex 
optimization books such as [BV04] or |Bar02] . In this section, however, we aim to give a direct 
proof of strong duality for the particular case of the coin-flipping SDP. This appendix follows the 
notation of Section 12.11 

More specifically, the goal for this section is to prove the existence of arbitrarily good upper 
bound certificates. Mathematically, we aim to show that inf {iPa,o\Za,o\'^a.o) = -Pb' where the 
infimum is taken over all dual feasible points. 

Let us begin by defining Ri as the set of density matrices pA,i on A that are attainable by a 
cheating Bob after i messages. We will focus only on even i. These sets satisfy the properties: 

• Ro = {\TpA,o){i^A,o\}- 

• Ri+2 = ^TrM[UA,i+iPA,iUj^^-_^_^] : pA,i > and Ti m PA,i G Ri^- 

• Ri is convex for all i. 

The last property follows from the previous two by induction. 

Though in general we cannot find a dual feasible point such that {tpA,o\ZAfl\'4'Afl) = -Pb, we can 
get arbitrarily close. Specifically, we can prove that for every e > we can pick the dual variables 
one by one, starting with Zn-2 and working our way backwards towards Zq, such that 

• ZA,i ^ Im> {ZA,i+2 ^ Im) UA,i+l 

• maxp^^g/j^ Tr[ZA,iPA,i] < maxp^^^^e^.+j Ti[ZA,i+2PA,i+2\ + 2e 

for even i, where as usual Za^h = ^A,i- The first condition guarantees that the constructed solution 
is indeed a dual feasible point (the operators for i odd can be found from the equality ZA,i = ZA,i+i)- 
The second condition gives us 

(V'A,o|^A,o|V'A,o) = max Ti[ZAflPAfl]< max Ti[ZA,nPA,n]+ne = P% + ne (209) 

PA, o£Ro PA,n&Rn 

which is the desired result since e > is arbitrary and we already know by weak duality that 
{^Afi\ZA,MAfi) > P*B- 

Let us assume that e > has been given and that ZA,i+2, ■ ■ ■ , ZA,n have been constructed 
according to the above criteria. We shall find a ZA,i satisfying the criteria as well. 

Let r = ul^-_^-^ {ZA,i+2 ® Im) UA,i+i, define Pos(^) to be the set of positive semidefinite oper- 
ators on A and define the function / : Pos(^) — > R by 

f{p) = _ max Tr[rp], (210) 
pePos{yl(giA^) 

TrA4[p]=P 

where we are maximizing over positive semidefinite operators p on on A'E' M whose partial trace 
is p. The function / has a number of simple to verify properties 

• maxpe/j„ f{p) = maXp^^^^^^zR^^^ TT[ZA,i+2pA,i+2\ = 7- 
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• / is continuous. 

• / is concave (equivalently f{p) + f{p') < f{p + p')). 

where we used the first equality to define 7. 

We now aim to construct a convex set out of / by using the space of points below its graph. 
More specifically let V be the vector space of Hermitian operators on A. We want to think of F as a 
real Hilbert space of dimension (dim^)^ with inner product {H\H') = Tr[i/^^i?']. Let = 1/ x R, 
which can be parametrized by ordered pairs {H, a) where H \s a. Hermitian operator on A and 
a G M. Now define the set X (ZW by 

X = |(i^,a) : H £ Fos{A),TtH < 2 and - 1 < a < /(F)}. (211) 

The numbers 2 and —1 are arbitrary, and are mainly there to make X compact. It is easy to check 
that X is a convex and has non-empty interior. 

Now we define a second compact convex set Y which will be disjoint from X but will sit above 
it (see Fig. [9|). We use the fact that / is continuous to find a 5 > such that 

T. ,.^J^^, /(p) <max/(p)+e = 7 + e, (212) 

where dist(/3, Ri) is the £2 distance. The idea is that we want Y to sit atop the set Ri but we also 
want Y to have non-empty interior. Therefore we expand Ri to a small (closed) neighborhood of 
Ri still consisting of positive semidefinite matrices Rf = {p G Pos(^) : dist{p, Ri) < 6}. Now we 
define Y C W as 

Y = |(i?,a) ■.HeRfandj + 2e<a<j + 2e + iy (213) 

The set Y is convex because Ri was convex and the distance function is convex. Y is also compact 
with non-empty interior and disjoint from X. 

Now we use the separating hyperplane theorem (see for instance |BV04| §2.5) which says that 
given two disjoint compact convex sets there exists a hyperplane such that each set is on one side 
(a proof sketch is let x E X and y £Y attain the minimum distance between X and Y, then define 
the hyperplane by the equation {x — y) ■ {w — {x + y)/2)) = for w € W). 

Because Rf is of non-empty interior in V, and X and Y respectively provide lower and upper 
bounds on the hyperplane is this region, the hyperplane cannot be vertical and its normal vector 
can be written in the form (M, 1) where M is Hermitian. The hyperplane itself can be parametrized 
as (M, 1) • (H, a) = c for (H, a) G W and some parameter c G M. As the hyperplane separates the 
sets X and Y we can write 

• {H,a) £ X =^ c - Tr MH > a, 

• {H,a)£Y c-TrMH <a. 

We are now ready to choose ZA,i = cl — M. The two properties above tell us that 

• For all density operators p on A we have Tr[ZA,ip] > fip)- 

=^ For all density operators p on A0 M. we have Tr [{ZA,i I)p] > Tr[Tp]. 
=^ ZA,t C/^.i+i i^A,i+2 ® Im) UA,t+l. 
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X 



Ri 

Figure 9: The sets X and Y . The horizontal axis is a cross section through the density operators 
given hy p = x|0)(0| + (1 — x)|l)(l|. The curve is given by f{x) = {y/x + \/l — x)^/2 corresponding 
to r being a projector onto a bell state. The optimal state p* maximizes / on the feasible set 
Ri. The ideal hyperplane is the tangent to f dX p*. Unfortunately, it is quite common that along 
some cross sections Ri corresponds to a single boundary point where the slope of / is infinite. The 
non-zero width of Y guarantees a finite slope for our (non-optimal) hyperplane even in this case. 



• For all p e Ri we have Tr[ZA,ip] < 7 + 2e. 

=^ maxp^ .gfl, Tr[ZA,ipA,i] < max^^ ..^^eiii+z Tr[ZA,i+2pA,i+2] + 2e. 

Therefore our chosen ZA,i satisfies the two required properties and we have completed the proof 
of strong duality for coin flipping. 
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C From functions to matrices 



TDPGs are specified in terms of pairs of functions constituting valid transitions. In order to compile 
them back into the language of quantum mechanics and semidefinite programming, we need to have 
a way of extracting matrices (states and unitaries) out of these transitions. That is our goal below. 
As a corollary we shall prove Lemmas [16] and [TTl This section uses the notation from Section 12.31 
We begin our discussion by considering the following alternate condition on transitions: 

Definition 40. Let p{z) and q{z) be two functions [0, oo) [0, oo) with finite support. We say 
p{z) q{z) is expressible by matrices if there exists positive semidefinite operators X and 
Y, and an (unnormalized) vector ji/') such that X < Y and p{z) = Prob(X, j-i/;)) and q{z) = 



It is not hard to verify that all transitions expressible by matrices are also valid, justifying our 
notation. It is also true that all transitions constructed from UBPs are expressible by matrices (the 
only non-trivial step is to expand the Hilbert space so as to purify the density operator). What 
we will end up showing by the end of this section is essentially the converse: that all strictly valid 
transitions are expressible by matrices. This is the content of Lemma [TBI 

Given that valid transitions and transitions expressible by matrices are essentially equivalent 
concepts, we could have used the latter in our definition of TDPGs. However, that would diminish 
one of the main accomplishments of TDPGs: moving the problem of coin flipping outside the 
traditional realm of quantum-mechanics/matrices/SDPs. 

We note that there do exist valid (but not strictly valid) transitions that are not expressible by 
matrices unless we allow infinite eigenvalues. However, all operators in this paper are assumed to 
have finite dimension and finite eigenvalues. 

The restriction to strictly valid transitions can be lifted if we work with functions defined on 
a compact domain rather than our usual domain of [0,cxd). For this section it will be useful to 
work with such compact domains, and we extend to them our definitions of valid and expressible 
by matrices: 

Definition 41. Fix a compact interval [a,b]. Given two functions p{z),q{z) : [a,b] — > [0, oo) with 
finite support we say p ^ q 

• is valid on [a, b] if Y^zPi^) — I^z '^^'^ Z^z jfli^i-^) ~ Pi^)) — ^ f^'"' G R \ / . 

• is expressible by matrices in [a, b] if there exists matrices X, Y with spectrum in [a,b], 
and a vector \'tjj) such that X <Y and p{z) = Prob(X, |^)) and q{z) = Prob(y, |^)). 

These definitions become useful with the following lemma: 

Lemma 42. Given two functions p{z),q{z) : [0,oo) [0, oo) with finite support such that p ^ q 
is strictly valid, there exists A > 0, larger than the maximum of the supports of p and q, such that 
p ^ q is valid on [0, A]. 

Proof. Because p ^ q is strictly valid ^ili^) ~ > which implies 



Prob(y, IV^)). 



A 




(214) 



z 
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where the expression mside the Umit is only defined for | A| larger than the maximum of the support 
of p and q. The expression inside the limit is continuous as a function of A, so there must exists a 
finite A > such that for A < —A we also have satisfy the inequality 'Yfzi'jli^) ~ P{^)) > 0- I— ' 

We can now restrict our attention to probability distributions and operator monotone functions 
with domain [0, A] and matrices with eigenvalues in [0, A], for some large A > 0. 

One approach to proving that valid on [0, A] implies expressible by matrices in [0, A] is as follows: 
define K to be the set of functions with finite support of the form g(z) = q{z) — p{z) : [0, A] ^ M 
where p — > (7 is expressible by matrices with eigenvalues in [0, A]. The set K is a convex cone, and 
we can define its dual cone K* in the space of functions with arbitrary support f{z) : [0,A] — > M. 
The inner product between the two spaces is defined by {f\g) = f{z)g{z) which is well defined 
because g has finite support. It is easy to check that K* is exactly the set of operator monotone 
functions with support [0, A]. The dual K** of K* is the set of functions with finite support of the 
form g{z) = q{z) — p{z) : [0,A] M where p ^ q is valid. Proving K** = closure(ir) covers most 
of what we want to prove. The two difficulties with this approach is that it requires some fairly 
advanced analysis to properly place K and K* into a pair of locally convex dual topological vector 
spaces (see for instance [Bar02j §IV.4), and that in the end we prove something slightly weaker than 
needed: mainly we find a transition expressible by matrices p' — > q' so that q'{z) —p'{z) = q{z) —p{z) 
rather than the stronger conditions p'{z) = p{z) and q'{z) = q{z). 

Instead we will use a more constructive approach to completing the proof: Given p ^ q valid 
on [a, 6], we will construct a perturbation p' of p so that — > g is still valid on [a, h] and such that 
proving that this new transition is expressible by matrices in [a, b] will also prove that the original 
transition is expressible by matrices in [a, 6]. Alternatively, we may find a perturbation q' of q and 
reduce the problem to studying p ^ q' ■ A sequence of such transformations can be used until we 
end up with a valid transition that is also trivially expressible by matrices. 

To formalize the perturbations we need to introduce some notation. Given p : [a, h] [0, 00) 
with finite support we define a canonical representation p = Prob(X, {ip)) by choosing X diagonal 
with a non-degenerate set of eigenvalues equal to S{p), the support of p, and then choosing \ip) = 
J2zeS(p) In particular, the dimension of X is the size of the support of p, denoted 



by |S'(p)|. Similarly we can construct a canonical representation for q : [a,b] — > [0,cxd) as q = 
Prob(y, |.^)) with the spectrum of Y is equal to S{q). Note, however, that even if p — > g is valid on 
[a, b] the matrices X and Y so constructed have no a priori relation, and in general are of different 
dimensions. 

All perturbations will be of the following form: let c > be a constant and |0) a non-zero 
vector. Set X' = X + c\(j)){(j)\ and (assuming X' has eigenvalues in [a,b]) set p' = Prob(X', IV"))- 
Then p — > p' is trivially constructable by matrices in [a, b]. Similarly, we can set q' = Prob(y , |.^)) 
for Y' = Y + c\(/)){(j)\ where now we want c < 0. Ensuring that the perturbations can be chosen so 
that p' ^ q or p ^ q' are valid will take up most of the rest of the section. 

Our first simple result bounds the dimension of the space needed when studying general tran- 
sitions that are expressible by matrices. It also standardizes the spectra of the matrices involved. 

Lemma 43. Let p ^ q be expressible by matrices in [a, b], then we can find matrices X <Y and 
a vector \<j)) such that p = Prob(X, {ip)) and q = Prob(y, {ip)) and additionally: 

1. The spectrum of X is equal to {a} U S{p), with all eigenvalues (excluding a) occurring once. 

2. The spectrum ofY is equal to {b} U S{q), with all eigenvalues (excluding b) occurring once. 
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3. The dimension of X and Y is no greater than \S{p)\ + |5'((7)| — 1. 

Proof. The fact that p — > g is expressible by matrices in [a, b], guarantees the existence of matrices 
X <Y with spectrum in [a, b] and a vector \(j)) such that p = Prob(X, |^)) and q = Prob(y, \tp)). 
What we need to prove that we can modify the given matrices to satisfy the additional properties. 

We begin by working with X and \ip). We can write {ip) = y^p{z)\z; X) where z ranges 
over the support of p and \z;X) is a normalized eigenvector of X with eigenvalue z. Let 11 = 
J2z be the projector onto the spaced spanned by these eigenvalues. If we define X' = 

HXU + a{I — n) we obtain a new matrix with eigenvalues in [a, b] that is diagonal in the same 
basis as X, but may have some eigenvalues changed to a. Therefore, X' < X < Y . Furthermore, 
X' has the desired spectrum and p = Prob(X', 

We can do something similar with Y. We can again write \ip) = q{z)\z; Y) where z ranges 

over the support of q and \z; Y) is a normalized eigenvector of Y with eigenvalue z. Note that even 
if p and q both have support on z we may have \z;X) ^ \z;Y). We now set 11 = |2;;y)(z;y| 
and define Y' = UYU + b{I - U). The new matrix satisfies X < Y < Y' , q = Prob(y', \ip)), and 
has the desired spectrum. 

Everything is correct except for the dimension. Now let 11 be the projector onto the space 
spanned by both and {|z;y)}. The dimension of this space is no greater than |S'(p)| + 

[/^(g)! — 1 (the minus one occurring because \^) is in the span of both sets of vectors). Clearly 
= IV') and both X' and Y' are block diagonal with respect to 11 and / — 11. Therefore, the 
required objects are X' , Y' and restricted to the support of H. □ 

Corollary 44. Expressible by matrices in [a, b] is a transitive relation. 

Proof. Let p ^ r and r — > g be expressible by matrices in [a, 6]. We use Xi, Yi and 1^"!) for the 
first transition and X2, I2 and \tp2) for the second transition, all chosen in accordance with the 
conditions of Lemma H3l The matrices Yi and X2 have the same spectrum, except that the second 
one has extra a eigenvalues and the first one has extra b eigenvalues. We can append eigenvalues 
to both of them using a direct sum so that 

(0' T/) ^^^^ 6/) 

have the same spectrum and dimension, where the blocks may be different sized. We can also map 
\'4)i) and \ip2) into this enlarged space by using a direct sum with a zero vector. 

Because the two unitaries have the same spectrum, there exists a unitary that maps the second 
into the first by conjugation. We can further ask that the unitary satisfy ?7|V'2) = IV'i) because up 
to a phases they assign the same coefficient to each eigenvector. Then 

We can construct p out of the first matrix and the extended \il)i){tjji\ and we can construct g out 
of the last matrix and as well. Therefore p ^ g is expressible by matrices in [a, b]. □ 

Before studying the perturbations, we need one final simplification. Though the domain [0, A] 
is good, the domain [—1, 1] is even better because we can write = and — A G M \ [—1, 1] is 
equivalent to 7 S (—1, 1), which is a connected set. Note that the value 7 = corresponds to the 
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(215) 



function f{z) = z, and by continuity in 7 we can always include/exclude it among our conditions. 
The fohowing lemma follows by a simple rescaling argument. 

Lemma 45. // every valid transition on [—1, 1] is expressible by matrices in [—1, 1] then every valid 
transition on [0, A] is expressible by matrices in [0,A]. 

It will also be convenient to work with functions p and q with support in (—1,1), though we 
still keep a domain of [—1, 1]. 

Lemma 46. If every valid transition on [—1, 1] involving functions with support on ( — 1, 1) is 
expressible by matrices in [—1, 1] then every valid transition on [—1, 1] is expressible by matrices in 

[-1,1]- 

Proof. Fix p,q : [—1,1] — > [0, 00) with finite support so that p ^ q is valid in [—1,1]. For any 
< c < 1 we define functions [—1,1] [0, 00) by 

^^(^) = |f(f) ^^[-c,c], q,{z) = h^^ ^^[-c,c], ^217) 

1 otherwise, 1 otherwise, 

which have support in (—1, 1) and furthermore pc — > qc is valid in [—1,1]. Therefore, the transition 
is expressible by matrices in [—1,1] and and we can choose Xc, Yc and {ipc) in accordance with 
the constraints of Lemma H3l Furthermore, by changes of basis we can ensure that Xc and \ipc) 
converge as c — > 1 to the canonical representation of p (appended with —1 eigenvalues). Any limit 
point of l^c as c — > 1 will complete the proof. □ 

For the rest of this section we will be concerned with the interval [—1,1]. When clear from 
context we will use the terms valid and expressible by matrices to refer to valid on [—1,1] and 
expressible by matrices in [—1,1]. 

We now begin studying perturbations on p and q which will have constraints arising from 
rational functions in 7 of the form i+^yz (^C-^) ~ Pi'^))- The main difficulty will be near the zeros 
of the function, which we want to approximate by simple expressions of the form a\j — jo\^. The 
following is a standard result. 

Lemma 47. Let N{'y) and D{'j) be two non-negative polynomials for 7 G [—1, 1]. If N has a zero 
of order k at j = jq £ [—1, 1] and -D(7o) 7^ then for any k' > k > k" > there exists e,a,b > 
such that 

a|7 - 70I''' < ^ - lof for 7 G [-1, 1] satisfying \ j - 70I < e. (218) 

L>(7) 



Proof. Choose e > so that A^(7) and D{'y) are non-zero for < I7 — 7o| < £• Let a be the infimum 
of ■; — , and b be the maximum of -. . for 7 G [—1, 1] satisfying < I7 — 70I < e. 

|7-7or D{-y) l7-7or -D(7) 

Note that the cases 70 = —1 and 70 = 1 are special in that k can be odd, and the inequalities will 
only hold inside the region [—1,1]. □ 

For the next set of lemmas let TChe a. real n-dimensional Hilbert space, let X be an operator on 
H, let IV') and |0) be non-zero vectors in TC and let c 7^ be a real constant. Also let /^(a;) = 
for x G [-1, 1] and 7 G (-1, 1). 
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Lemma 48. Let X, c and /^(x) be as above. If both X and X + c|(/))((/)| have eigenvalues in 
[—1,1], then 



UX + c\<p){<l>\)-fJX) 



i + jc{4>\ (i + jX) 

Proof. The proof for 7 = is trivial. Otherwise f-yix^ ~ ^ 



r^) ii + ^xy'\<p){<p\ {1 + -1X) 



-1 



(219) 



1 



1 



c' = 7c. Because Z is positive definite and Z + c!\(j)){(j)\ is also positive definite, then 



. Let Z = I + 7X and 



-1 



(^/ + c'Z^l/2|^)(<^|^-l/2j ^1/2 



-1 



1 \ Z-1/2|0)(^|Z-V2^ 



l + c'(</)|Z-i 
c' 



z-1 



l + c'(0|Z-i 
c' 



Z-^l^\ct)){(i)\Z-"^]z-^l^ 



2-1/2 



l + c'{(h\Z- 



Z-'\^){ct>\Z-\ 



(220) 



where the third equality follows because I + c'Z ^ {(l)\Z g, matrix with only two eigen- 

values. The main result follows because its LHS equals —^{{Z + c'\(l)){(l)\)~^ — Z~^). □ 

We are ready to start imposing constraints on the transitions p ^ p' for p = Prob(X, Itp)) and 
p' = Prob(X', IV'))) where X' = X + c\<j)){(j)\. In particular, we want to place an upper bound on 

T^zTT^ip'i^) - Pi^)) = ii^l^fii^ + c\(t>){4>\) - f'r{X)^\^) in the form of a polynomial with a 
zero of order 2k. The next lemma will show that there are many choices for |0) that satisfy the 
bound. In fact, there is an n — A; subspace of such vectors. 

Lemma 49. LetTL, n, X, \ip) and f-y{x) be as above, with the eigenvalues of X restricted to (—1, 1). 
Given a polynomial 6(7 — 70)^'^ with constants b > 0, integer k > and 70 G [—1, 1], then we can 
construct an (n — k)- dimensional subspace TC' C TC such that for every £ Ti.' there exists c > 
and e > satisfying 

(V'|(^(X + c|</.)(</.|)-/^(X))|V)| <6(7-7o)'' /or 7 G (-1,1) satisfying \j - jo\ < e, 

(221) 

where additionally \c\ must be small enough so that X + c|0)((/>| also has eigenvalues in (—1,1). 
The same conditions can also be satisfied while demanding that in every case c < 0. 

Proof. Because we are only considering matrices X with eigenvalues in (—1, 1), the matrix \X\ has 
a maximum eigenvalue Xmax < 1 and if for a given |0) we restrict |c| < (1 — Xmax) / i'^{4'\'P)) then 
Eq. (I2T9]) implies 



f^iX + c\cP){cP\)-f^{X) 



< 2\c\ 



(222) 
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The expression {tp\{I + jX)~^\(j)) is a rational function in 7 (recall we are working in a real vector 
space) with no poles in [—1, 1]. If we can choose \(p) such that it has a zero of order at least k at 70 
then by Lemma 1471 we can choose small enough c > (or large enough c < 0) and e > such that 



2|c| 



(/ + 7X)-i 10) '< 6(7-70)2'= for 7 e (-1,1) satisfying I7- 70 1 <e, (223) 



thereby proving the constraint. What remains to be shown is that there exists an n — k dimensional 
space Ti' such that {(p) G Ti' implies that (V'K-^ + 'yX)~^\(l)) has a zero of order at least k at 79. 
If we choose 6 > such that 6\I + 7oX|~^ < / then we can write 

mi + lXy^ = mi + loX + {j-jo)X)-^ (224) 
= ^(7-7o)^(V^I(^ + 7o^)~^ ( / + 7ox J for I7-70I < 

where all matrices are diagonal in the eigenbasis of X, which justifies the unordered products. We 
have shown that the requirement that (V'K-^ + 7X)~^\(j)) have a zero of order at least k at 70 is 
equivalent to k linear constraints on \(f)), and therefore there exists a subspace of dimension n — k 
that simultaneously satisfies all of them. The lemma follows so long as we ensure to pick the 
constants e small enough so that e < 6. □ 

The following fact will also be useful: given c > and e > satisfying the inequality in the above 
lemma (for a given | </>)), then it is also satisfied by any c' and e' such that < c' < c and < e' < e, 
the former property arising because is operator monotone and hence {ip\f^/{X + c\(p) {(pDlip) is 
monotone as a function of c. In the next lemma we will use this to deal with multiple simultaneous 
constraints. 

Lemma 50. Let p and q be functions with support in (—1, 1) such that p ^ q is valid. Let S{p) 
and S{q) he respectively the supports of p and q, and let m he the numher of zeros (including 
multiplicities) for 7 G [—1,1] of the rational function i+^yz ili^) ~ Pi'^))- 

• If m + 2 < 2\S{p)\ there exists a vector \(f)) ^ and constant c > such that p' ^ q is valid, 
where p' = Prob(X', X' = X + c\(/)) {(/)\ and p is canonically represented hy Prob(X, |V'))- 

• If m + 2 < 2\S{q)\ there exists a vector ^ and constant c < such that p ^ q' is valid, 
where q' = Prob(y, |^)), Y' = Y + c|0)((/>| and q is canonically represented hy Prob(y, |^)). 



Proof. We will prove the first case, the second case being nearly identical. The key idea is that 
q{z) — p'{z) = {q{z) — p{z)) — {p'{z) — p{z)), and therefore p' ^ q will be valid if 

(^1 (/^(X + c\<P) (01) - /-.(X)) IV') < T^(9(^) - ?'(^)) ^ ^ [-1' (225) 

z 

By construction the right-hand side has no poles and exactly m zeros (including multiplicities) for 
7 G [—1, 1]. For each zero we can find, by Lemma WR a lower bound for the right-hand side of the 
form 0(7 — 7o)2'= valid in some neighborhood of the zero. Since all multiplicities for zeros in (—1, 1) 
are even we can chooses 2k to equal the multiplicity of the respective zero. Zeros occurring at the 
end points —1 and 1 can have odd multiplicities, in which case we can choose 2k to be at most 
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one plus the multiplicity of the zero. By Lemma [l9] for each neighborhood there is an S{p) — k 
subspace of vectors that satisfies the constraint, possibly in a smaller neighborhood, for some 
c > 0. The sum of the constants 2k over each of the zeros is therefore at most m + 2 (and this can 
only occur if there are zeros of odd order at both 70 = —1 and 70 = 1). Therefore, the number 
of linear constraints needed to specify all the subspaces is at most [^^^^^J < |'S'(p)|. Therefore, the 
intersection of all these subspaces is non-trivial and we can find a non-zero |0) and a c > (chosen 
as the smallest of the given c constants) such that the inequality of Eq. (j225p is satisfied in the 
union of all the neighborhoods. 

We also need to ensure that c > is chosen small enough so that X' = X+c\(l)) {(pl has eigenvalues 
in (—1, 1), but because X has eigenvalues in (—1, 1) that is always possible. What remains to be 
checked is that the inequality is satisfied outside the neighborhoods surrounding the zeros. But the 
complement of these neighborhoods in [—1, 1] is a compact set on which the inequality becomes a 
strict inequality. Therefore, for any vector \(f)) we can find a c > such that the inequality holds. 
The lemma is proven by choosing c > small enough to satisfy all the preceding conditions. □ 

To make use of the above lemma we note that the degree of the numerator of the rational 
function of 7 given by 



+ 7-z 



iq{z)-piz)) (226) 



is at most \S{p)\ + \S{q)\ — 1 because we are summing at most \S{p)\ + \S{q)\ terms. In fact, the 
degree of the numerator is at most \S{p)\ + \S{q)\ — 2 because the coefficient of 'j\^(p)\+\^(i)\~^ is 

In the following discussion the number of zeros of p q refers to the number of zeros (including 
multiplicities) for 7 G [0,1] of the numerator of the rational function J2z i+^z (^(-^) ~ P{^))- The 
argument from the last paragraph shows that the number of zeros of p ^ is at most |5'(p)| -|- 
\S{q)\-2. 

As a consequence, if \S{p)\ > \S{q)\, then 2|S'(p)| > \S{p)\ + \S{q)\ > m + 2 where m is the 
number of zeros of p — > g. Therefore, we can always find a \(p) as in the above lemma to perturb 
p. Similarly, if |5(p)| < \S{q)\ there exists a that can be used as a perturbation on q. Both 
perturbations can be found if l^d?)! = |>S'(g)| and the number of zeros of p ^ g is less than its 
maximal value of 2|S'(p)| — 2. The special case of |5'(p)| = |5'((;)| with maximal zeros will be dealt 
with separately later in the section 

Let us now discuss what happens once we have found a valid \(p) and c, and start increasing the 
value of c. For concreteness, we take the first case of the preceding lemma so that p' ^ q is valid, 
p' = Prob(X', IV')), P = Prob(X, l^i/;)) is a canonical representation so that X has dimension |5'(p)|, 
and X' = X + c\(l)){4>\. 

As we increase c there are two constraints that can force us to stop: either X'{c) = X + c\(p){(l)\ 
gets an eigenvalues larger than 1, or p' ^ q is no longer valid. Let cq be the largest allowed value 
of c and let pg = Prob(X'(co), \ip))- Note that p — > p'^ is still expressible by matrices and p'q ^ q is 
still valid because the respective constraints are defined using non-strict inequalities. 

If the stopping condition for increasing c is that the eigenvalues get too large, then X'(co) < / 
but X'{co) has 1 as an eigenvalue. Because q has support in (—1, 1), the value of jip^Qiz) at 
7 = — 1 is finite, so as c — > cq the amplitude of on the largest eigenvector of X'{c) must be 
going to zero, and must be zero at c = cq. The first consequence of this is that Pq{z) ultimately 
does not have support on 2; = 1, and therefore its support is still contained in (—1, 1). The second 
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consequence is that the size of the support of pg is smaller than the dimension of the space on 
which X is defined, which equals the support of p. In other words IS'd^g)! < |5'(p)|. 

On the other hand lets assume that for c > cq the transition to q is no longer valid. In 
such a case the rational function {q{^) ~ p'oi^)) must have an extra zero in [—1, 1] that 

1+ z ~Pi^)) have, or one of the existing zeros must have a higher degree. That is, 

the number of zeros in pg — > g is greater than the number of zeros in j? — > Note that in this case, 
by construction |5'(pg)| < |5'(p)|, whereas in the previous case (where we proved |5'(pg)| < |5'(p)|) 
the number of zeros cannot decrease. 

Let p ^ q he valid with \S{p)\ > \S{p)\. We can repeatedly apply the above perturbation 
process to obtain a sequence of valid transitions p = Po ^ Pi ^ • • • ^ Pi ^ Q, such that, as 
functions of i, the number of zeros of — > g is monotonically increasing along the chain and |5'(pj)| 
is monotonically decreasing along the chain. Furthermore, in each transition either the number of 
zeros increases or |S'(pj)| decreases. The number of zeros is upper bounded by \S{p)\ + \S{q)\ — 2, 
and therefore after a finite number of steps we must get to a pi such that either 1 5(^^)1 < \S{q)\ or 
= |5'(g)| and the number of zeros is maximal. In the former case, we can continue the chain 
by perturbing q. Repeatedly working on both sides we can end up with a chain 

P = Po ^Pi^ >Pe = P ^ q = qe' ^ > qi^ qo = q (227) 

such that all transitions are valid, and all but p' q' are known to be expressible by matrices. 
Furthermore, |5'(y)| = |5'(g')| and p' — > q' has 2\S{p')\ — 2 zeros. If we can prove that p' — > q' is 
expressible by matrices then by transitivity we will have also proven that p — > g is expressible by 
matrices. 

To complete the result of this section, we now need to study the remaining special case of 
l'S'(p')l — \'SiQ')\ with maximal zeros. From the proof of Lemma [50l we can see that in fact the only 
case when we can't find a perturbation is when there are zeros of odd order at both 70 = —1 and 
7o = 1. In all other cases we can continue the above chain until p' = q' . 

To deal with zeros of odd order at 70 = — 1 and 70 = 1 we need to enlarge the vector space on 
which we are working. Rather than using a canonical representation p = Prob(X, we append 
to X an extra eigenvalue —1, so that we end up with a new matrix X having dimension \S{p) + 1| 
and eigenvalues in [—1,1). Similarly, we can request a representation q = Prob(y,|0) so that 
Y has dimension |5'((7)| + 1 including a single eigenvalue 1. Note that it is pointless to append 
eigenvalues of 1 to X (or — 1 to y) as we can't add (resp. subtract) in any vectors \(p){(p\ to that 
subspace without ending up with eigenvalues outside [—1, 1]. 

The following discussion will concern the first case, where the matrix X has a single eigenvector 
| — 1) with eigenvalue —1. It will be useful to define Ti as the space containing X, and 7i C Ti as 
the subspace orthogonal to | — 1). We want to keep n as the size of the support of p, so 7i will have 
dimension n and Ti will have dimension n + 1. We still want p = Prob(X, to have support in 
(— 1, 1), though, so (— 1|V') = or equivalently G Ti.. We will consider perturbations of the form 
X + c\4>){4>\ where \4>) = |(/>) +a|-l). 

Our immediate goal is to extend Lemma [M] to deal with matrices X with eigenvalues in [—1, 1) 
for c > 0. For 70 G [—1, 1) it will be a straightforward extension: We want to find an (n — k)- 
dimensional subspace TL' <Z TL oi vectors |0) so that for any a E M the vector |(^) = |(/)) + a|— 1) 
satisfies the inequality 

h\ (/-.(X + c|0)(<^|) - f^{X)) < 6(7 - 70)2^= for 7 E (-1, 1) satisfying I7 - 70I < e (228) 
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for some c > and e > 0. 

As the proof of the above is nearly identical to the proof of Lemma HU we will only discuss the 
differences. Our main tool is Eq. (j219p which also applies to our extend matrix X. For convenience 
we rewrite it here 



f^{X + c\^){^\)-f^{X) 
Given 16) = 



,-1 



[i+jxy 



\i + jc{^\ {i + ^xy 

+ a|— 1) we want to choose c > small enough so that 
f^{X + c\^){^\)-f^{X)' 



[i+jxy 



(229) 



< 2 c 



il + jX) 



(230) 



for 7 G (—1, 1) satisfying I7 — 7o| < £• To accomplish this let Xmax be the largest eigenvalue of X 
and restrict c < (1 — X'^^^)/{2{(f>\4>)). We then have 7c(0| [I + 'jX)~^ \(j)) > —1/2 as required. We 
then note that {tpl [l + 'jX)'^ {(j)) = (-01 (/ + 7^)""^ If/*) where X is the restriction of X to H. We 
end up with an equation identical to Eq. (j222p in the proof of Lemma 091 The rest of the proof 
carries through. 

The interesting extension of Lemma H9] occurs at 70 = 1. For 7 G (—1, 1) we have 



|ap(l-7)- 



< 



(231) 



because 1 + 7X is positive definite and the left-hand side drops some positive terms. If a 7^ we 
can further write for 7 G (0, 1) 



l + 7c((A| {I + 7X) 



< 



c(l-7) 



l + 7c|a|2(l-7)-i 1-7(1 



< 



1 



7 



CO 



(232) 



where in the last step we assumed c < l/|op so that the denominator is minimized by 7 
Combined with Eq. (j229p we get 



1. 



f^{X + c\^){^\)-f^{X) 



)l«) 


^ ',7 




or 



(l + jX) 



(233) 



for 7 G (1 — e, 1) so long as we choose e < 1. Therefore, at 70 = 1 we can prove something stronger 
than Lemma |49l The constructed (n — A;)-dimensional subspace will satisfy an upper bound of 
^(7 ~ 70)^*^^^ rather than just 6(7 — 70)^^^- The caveat is that the bound will only hold when \a\ is 
large enough: 

Lemma 51. Let Ti, TC, n, X, {ip) and f-yix) be as above. In particular, X has eigenvalues in 
[—1,1) with a unique eigenvector |— 1) with eigenvalue —1 and = 0. Given a polynomial 

6(1 — 7)2^^+1 with constants b > and integer k > 0, we can find an (n — k)- dimensional subspace 
TC' C TC and a number G > such that for any \(f)) £ TC' and a > Q{(f)\(f)) there exists c > and 
e > satisfying X + c|(^)(0| < / and 



where 



f^ix + c\4>){^\)-f^{x) 

^)+a\l). 



< ^(1 - 7) 



2fe+l 



for 7 G (1 - e, 1), 



(234) 
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Proof. The proof starts from Eq. (j233p . As before, = implies ('01 (/ + 7^) ^ {(p) = 

{I + 'yX)~^ where X is the restriction of X to Ti.. The argument from the proof of Lemma H9l 
gives us an (n — /c)-dimensional subspace Ti' C Ti. of vectors £ Ti' such that the numerator of 
the rational function (/ + 7^)"^ |(/>) has a zero of order /c at 7 = 1. Given \(p) £ Ti.' we can find, 
by Lemma Wl\ a small enough e > and large enough a > so that 

^ I (VI (/ + 7^)"' \<P)f < h{i - 70)''+' for 7 e (1 - e, !)• (235) 

To complete the proof choose to be the maximum of such choices of |ap over the compact set of 
|(/>) G Ti' that additionally satisfy (</>|(/') = 1. □ 

A similar result holds for Y with eigenvalues in (—1,1] and c < 0. We now prove a special 
version of Lemma [50l 

Lemma 52. Letp ^ q be functions with support in (—1, 1) such that p q is valid, \S{p)\ = \S{q)\ 
and the number of zeros of p ^ q is maximal with odd order at both 7 = — 1 and 7 = 1. Then 

• There exists a vector \(j)) = \(j)) + a|— 1) and constant c > such that p' ^ q is valid, 

where p' = Prob(X', \tp)), X' = X + c|0)(0| < I, p = Prob(X, IV')); the dimension of X is 
\S{p)\ + 1 including a unique eigenvector |— 1) with eigenvalue —1, {(p\—l) = and \(p) 7^ 0. 

• There exists a vector |0) = |0) + a\l) and constant c < such that p ^ q' is valid, 

where q' = Prob(y', Y' = Y + c\(j)){(j)\ > —I, q = Prob(y, \(,)), the dimension of Y is 
\S{q)\ + 1 including a unique eigenvector |1) with eigenvalue 1, (0|1) = and \(f)) 7^ 0. 

Proof. We prove the first case, the second being nearly identical. As in the proof of Lemma [50] the 
main goal is to ensure 

f^{X + c\4>){4>\) - A W) IV') < E T^ili^) - Pi^))- for all 7 e [-1, 1]. (236) 

z ' 

By assumption, the number of zeros of the right-hand side is 2|5(p)| — 2, with odd order at both 
7 = — 1 and 7 = 1. The problem with the original proof of Lemma [50] is that it would seek vectors 
\(j)) such that the left-hand side had an even number of zeros at 7 = — 1 and 7 = 1 and the total 
number of zeros was 2|S(p)|. Therefore, the total number of linear constraints on |0) would be 
\S{p)\ and the only vector {(p) that satisfies all the constraints is |— 1). 

However, Lemma [51] allows us to satisfy the bound while placing only an odd number of zeros 
at 7 = 1 (though still an even number of zeros at 7 = — 1), and therefore requiring only jS'd?)! — 1 
constraints (so long as the coefficient of |— 1) is large enough). In particular, there exists a non-zero 
vector 10), a large enough a > and small enough c > so that \4>) = 10) -|- a|l) satisfies the above 
inequality in a neighborhood of each of the zeros of the right-hand side. 

The proof is then completed by picking a potentially smaller c > to ensure that the inequality 
is satisfied outside the neighborhoods and that X + c|0)(0| < I. □ 

Lemma 53. Letp ^ q be functions with support in (—1, 1) such that p q is valid, \S{p)\ = \S{q)\ 
and the number of zeros of p ^ q is maximal with odd order at both 7 = — 1 and 7 = 1. Then 

• There exists p' : (—1, 1) [0, 00) such that p' / p, \S{p')\ = \S{p)\, p ^ p' is expressible by 
matrices and p' ^ q is valid. 
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• There exists q' : (—1,1) — > [0, cxd) such that q' ^ q, \S{q')\ = \S{q)\, q' ^ q is expressible by 
matrices and p ^ q' is valid. 

Proof. We shall prove the first case. Take p' from the previous lemma and increase c until either 
p' ^ q gets a new zero or until X + c|(^)((^| gets an eigenvalue of 1. 

In the first case, either we either end up with p' = q, or we have = \S{q)\ + 1 and p' ^ q 

has maximal zeros, in which case we can use Lemma [50] to create a second perturbation to get 
p" — > q. Increasing this second c > cannot increase the number of zeros or decrease the support 
size of the support of p" unless we end up with p" = q. In either case we have proven that p ^ q 
is expressible by matrices and we can choose p' = q to satisfy the lemma. 

Alternatively if X + c\4>){4>\ gets an eigenvalue of 1, then we end up with = \S{p)\ and 

by construction p ^ p' is expressible by matrices and p' ^ q is valid. To prove that p' ^ p we note 
that because is not proportional to | — 1) the maximum c must be less than 2, so the trace of the 
canonical matrix expressing p' is smaller than the trace of the canonical matrix expressing p. □ 

Lemma 54. Letp andq be functions with support in (—1, 1) such thatp q is valid, \S{p)\ = \S{q)\ 
and the number of zeros of p ^ q is maximal with odd order at both 7 = — 1 and 7=1. Then 
p ^ q is expressible by matrices. 

Proof. Let p = Prob(X, lip)) with X a 2|S'(p)| — 1 dimensional matrix which includes |5'(p)| — 1 
orthogonal eigenvectors with eigenvalue —1. We seek the infimum of /_^-|^ i+'yz il(^) ~ p'{^))d'y 
over p' = Prob(X', satisfying p' ^ q valid and X < X' < T Because we are optimizing X' 
over a compact set the infimum is achievable, and the resulting p' will satisfy p ^ p' is expressible 
by matrices and p' ^ q is valid. 

If p' = q the lemma is proven. Otherwise, by the preceding theorem there exists p" 7^ p such 
that p' — > p" is expressible by matrices and p" q is valid. Then J^-^ j:p:^{p"{^) ~p'{^))d'y > 

and hence j\ TT^(9(^) - p'{z))dj > f\ Y.z TT^(9(^) " P"{z))dl- But also, by transitivity, 
p — > p" is expressible by matrices and in fact, because the dimension of X is large enough, we can 
write p" = Prob(X", for X < X" < L That is a contradiction with the optimality of p' . □ 

Corollary 55. If p q is valid in [—1, 1] then it is expressible by matrices in [—1, 1]. 

The results used in Section [2.3.21 can be proven as follows: Lemma [TBI follows from the above 
corollary. Lemmas 1421 and [^5l and the definition of expressible by matrices. Lemma [T7I follows from 
Lemma 1431 
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